Re: Subgit SELinux issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2015-09-23 at 09:13 +0200, Miroslav Grepl wrote:
> On 09/22/2015 08:37 PM, Matthew Saltzman wrote:
> > On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
> > > On 22/09/15 18:50, Matthew Saltzman wrote:
> > > >     for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
> > > 
> > > Probably not the best location for a pid file. I'd suspect that
> > > write
> > > access to anything under /var/www is disallowed. Can you not move
> > > it
> > > to
> > > /var/run?
> > 
> > *I* can't. It's hard-coded in a compiled executable. I could make
> > that
> > recommendation to the Subgit folks. I suspect they may do that
> > because
> > they know for sure where the directory they are executing from is,
> > but
> > they may not feel they have a guarantee that /var/run is available
> > in
> > every *nix distribution.
> 
> We can label /var/www/svn/FlopC++/subgit for example if it is owned
> by a
> package.
> 
> The main gole is we need to get AVCs. Try to re-test it and run
> 
> #ausearch -m avc,user_avc -ts recent
> 
> > 
> > On the other hand, the Subversion repositories themselves are in
> > /var/www/svn and interacting with them works fine (including
> > writes),
> > modulo this issue.
> 
> 
> > 
> > > 
> > > Trevor
> 
> 

OK Here's a list of AVCs. I tried to cull the ones that seemed
obviously not related (because they referred to an unrelated file or
command) but there may be some extraneous ones left. These are from two
commits. Interestingly, even though SELInux is in permissive mode, the
commits failed with the same timeout message.

Also, how do I turn the don't-audit rules back on?

# ausearch -m avc,user_avc -ts recent
----
time->Mon Sep 28 11:20:25 2015
type=SYSCALL msg=audit(1443453625.601:66129): arch=c000003e syscall=42
success=no exit=-115 a0=31 a1=7ffe641dece0 a2=10 a3=bf items=0
ppid=1622 pid=9033 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1443453625.601:66129): avc:  denied  { name_connect
} for  pid=9033 comm="/usr/sbin/httpd" dest=9999
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
----
time->Mon Sep 28 11:22:55 2015
type=SYSCALL msg=audit(1443453775.469:66135): arch=c000003e syscall=59
success=yes exit=0 a0=7fe700a14de8 a1=7fe700a14e30 a2=7ffe641e0bd0
a3=7ffe641e0930 items=0 ppid=9185 pid=9631 auid=4294967295 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="pre-commit" exe="/usr/bin/bash"
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1443453775.469:66135): avc:  denied  { noatsecure }
for  pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
type=AVC msg=audit(1443453775.469:66135): avc:  denied  { siginh } for 
 pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
type=AVC msg=audit(1443453775.469:66135): avc:  denied  { rlimitinh }
for  pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
----
time->Mon Sep 28 11:22:57 2015
type=SYSCALL msg=audit(1443453777.094:66136): arch=c000003e syscall=9
success=yes exit=140281970163712 a0=7f95f1000000 a1=270000 a2=7 a3=32
items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
-abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1443453777.094:66136): avc:  denied  { execmem } for
  pid=9661 comm="java" scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
----
time->Mon Sep 28 11:23:15 2015
type=SYSCALL msg=audit(1443453795.817:66138): arch=c000003e syscall=2
success=yes exit=13 a0=7f95ce143344 a1=0 a2=1b6 a3=0 items=0 ppid=1
pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
-abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1443453795.817:66138): avc:  denied  { open } for 
 pid=9661 comm="java" path="/proc/9658/net/if_inet6" dev="proc"
ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1443453795.817:66138): avc:  denied  { read } for 
 pid=9661 comm="java" name="if_inet6" dev="proc" ino=4026532220
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 28 11:23:15 2015
type=SYSCALL msg=audit(1443453795.817:66139): arch=c000003e syscall=5
success=yes exit=0 a0=d a1=7f95fd98bc50 a2=7f95fd98bc50 a3=0 items=0
ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
-abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1443453795.817:66139): avc:  denied  { getattr } for
  pid=9661 comm="java" path="/proc/9658/net/if_inet6" dev="proc"
ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 28 11:23:19 2015
type=SYSCALL msg=audit(1443453799.038:66141): arch=c000003e syscall=50
success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7f95fd98e230 items=0
ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
-abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1443453799.038:66141): avc:  denied  { listen } for 
 pid=9661 comm="java" laddr=::ffff:127.0.0.1 lport=43865
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
----
time->Mon Sep 28 11:25:17 2015
type=SYSCALL msg=audit(1443453917.466:66160): arch=c000003e syscall=2
success=yes exit=13 a0=7fbff9c58344 a1=0 a2=1b6 a3=0 items=0 ppid=1
pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
-abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1443453917.466:66160): avc:  denied  { open } for 
 pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc"
ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1443453917.466:66160): avc:  denied  { read } for 
 pid=10084 comm="java" name="if_inet6" dev="proc" ino=4026532220
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 28 11:25:17 2015
type=SYSCALL msg=audit(1443453917.466:66161): arch=c000003e syscall=5
success=yes exit=0 a0=d a1=7fc025453c50 a2=7fc025453c50 a3=0 items=0
ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
-abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1443453917.466:66161): avc:  denied  { getattr } for
  pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc"
ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Mon Sep 28 11:25:19 2015
type=SYSCALL msg=audit(1443453919.191:66162): arch=c000003e syscall=50
success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7fc025456230 items=0
ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java"
exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre
-abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1443453919.191:66162): avc:  denied  { listen } for 
 pid=10084 comm="java" laddr=::ffff:127.0.0.1 lport=46017
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
----
time->Mon Sep 28 11:25:44 2015
type=SYSCALL msg=audit(1443453944.123:66165): arch=c000003e syscall=42
success=no exit=-115 a0=3c a1=7ffe641dece0 a2=10 a3=bf items=0
ppid=1622 pid=9990 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="/usr/sbin/httpd" exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1443453944.123:66165): avc:  denied  { name_connect
} for  pid=9990 comm="/usr/sbin/httpd" dest=9999
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket

-- 
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux