Help with messed up F11 SELinux

Tue Apr 27 18:16:06 UTC 2010

On Tue, 27 Apr 2010 13:17:09 -0400
Daniel J Walsh <dwalsh at redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 04/27/2010 12:18 PM, Steve Blackwell wrote:
> > On Tue, 27 Apr 2010 11:31:57 -0400
> > Daniel J Walsh <dwalsh at redhat.com> wrote:
> > 
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
> >>> On Tue, 27 Apr 2010 08:45:25 -0400
> >>> Daniel J Walsh <dwalsh at redhat.com> wrote:
> >>>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> >>>>> On Mon, 26 Apr 2010 11:11:00 -0400
> >>>>> Daniel J Walsh <dwalsh at redhat.com> wrote:
> >>>>>
> >>>>>
> >>>>>>> I do still have one (so far) problem though. When I tried to
> >>>>>>> point my browser at my local BackupPC server page a get an
> >>>>>>> "Unable to Connect" message and an AVC:
> >>>>>>>
> >>>>>>> Raw Audit Messages :
> >>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
> >>>>>>> avc: denied { write } for pid=31707 comm="perl5.10.0"
> >>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
> >>>>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
> >>>>>>>
> >>>>>>> node=steve.blackwell type=SYSCALL
> >>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
> >>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
> >>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
> >>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> >>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
> >>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> >>>>>>> key=(null)
> >>>>>>>
> >>>>>>> Now I know I could change the context of that socket file but
> >>>>>>> I'm guessing that it gets created every time and so that is
> >>>>>>> not a permanent solution. Is there a boolean I need to set;
> >>>>>>> nothing looked obvious or perhaps a BackupPC policy I need to
> >>>>>>> install?
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> Steve
> >>>>>>> --
> >>>>>>> selinux mailing list
> >>>>>>> selinux at lists.fedoraproject.org
> >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>>>
> >>>>>>>
> >>>>>> What directory is the socket in?
> >>>>>
> >>>>> /var/log/BackupPC
> >>>>>
> >>>>> Steve
> >>>>
> >>>> The BackupPC package comes with labeling in F12/F13 of
> >>>> httpd_sys_content_t.
> >>>>
> >>>> # matchpathcon /var/log/BackupPC/
> >>>> /var/log/BackupPC	system_u:object_r:httpd_sys_content_t:s0
> >>>>
> >>>> Execute the following, should fix the problem
> >>>>
> >>>> # semanage fcontext -a -t httpd_sys_content_t
> >>>> '/var/log/BackupPC(/.*)?' 
> >>>> # restorecon -R -v /var/log/BackupPC
> >>>
> >>> No luck.
> >>>
> >>> This did relabel the files in /var/log/BackupPC
> >>>
> >>> [root at steve ~]# ls -lZ /var/log/BackupPC
> >>> -r--r--r--. backuppc backuppc
> >>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid 
> >>> srwxr-x---. backuppc backuppc
> >>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
> >>> ...
> >>>
> >>> but SELinux still won't let me access the server. I get a slightly
> >>> different but essentially the same AVC as before:
> >>>
> >>> Raw Audit Messages :
> >>>
> >>> node=steve.blackwell type=AVC
> >>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> >>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> >>> scontext=system_u:system_r:httpd_t:s0
> >>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
> >>>
> >>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> >>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> >>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
> >>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> >>> tty=(none) ses=4294967295 comm="perl5.10.0"
> >>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> >>> key=(null) 
> >>>
> >>> So it looks to my untrained eye that we have a process with
> >>> context system_u:system_r:httpd_t:s0 
> >>> trying to write to a file that has a context
> >>> system_u:object_r:httpd_sys_content_t:s0
> >>>
> >>> and there is no rule to say that this is OK. Is that about right?
> >>>
> >>> Thanks,
> >>> Steve
> >>> --
> >>> selinux mailing list
> >>> selinux at lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>
> >> You can add the ok rule using audit2allow
> >>
> >> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow
> >> -M mybackuppc
> >> # semodule -i mybackuppc.pp
> > 
> > OK, a little progress. Now I am getting a socket connect denial.
> > Will repeating the audit2allow process to correct this?
> > 
> > Thanks,
> > Steve
> yes

I wasn't sure if running audit2allow a second time would add to
mybackuppc.pp or replace it so I ran

# grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M
mybackuppc.pp
# semodule -i mybackuppc.pp

I also noticed a boolean called httpd_can_network_connect. This would
have worked too, correct?

Now I can connect to the server but I get a different AVC:

Raw Audit Messages :
node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied
{ read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0 ino=32931842
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file

node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48
gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
subj=system_u:system_r:httpd_t:s0 key=(null) 

disk is a link to an external USB drive where I keep the backups

[root at steve ~]# ls -lZ /media
drwxr-xr-x. root  root  system_u:object_r:mnt_t:s0
<the USB disk UUID>
lrwxrwxrwx. root  root  system_u:object_r:mnt_t:s0       disk ->
<the USB disk UUID>

So do I need to relabel the disk httpd_sys_content_t next?

Steve