Help with messed up F11 SELinux
Steve Blackwell
zephod at cfl.rr.com
Tue Apr 27 16:18:08 UTC 2010
On Tue, 27 Apr 2010 11:31:57 -0400
Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
> > On Tue, 27 Apr 2010 08:45:25 -0400
> > Daniel J Walsh <dwalsh at redhat.com> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
> >>> On Mon, 26 Apr 2010 11:11:00 -0400
> >>> Daniel J Walsh <dwalsh at redhat.com> wrote:
> >>>
> >>>
> >>>>> I do still have one (so far) problem though. When I tried to
> >>>>> point my browser at my local BackupPC server page a get an
> >>>>> "Unable to Connect" message and an AVC:
> >>>>>
> >>>>> Raw Audit Messages :
> >>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
> >>>>> denied { write } for pid=31707 comm="perl5.10.0"
> >>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
> >>>>> scontext=system_u:system_r:httpd_t:s0
> >>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
> >>>>>
> >>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
> >>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
> >>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
> >>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48
> >>>>> fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0"
> >>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> >>>>> key=(null)
> >>>>>
> >>>>> Now I know I could change the context of that socket file but
> >>>>> I'm guessing that it gets created every time and so that is not
> >>>>> a permanent solution. Is there a boolean I need to set; nothing
> >>>>> looked obvious or perhaps a BackupPC policy I need to install?
> >>>>>
> >>>>> Thanks,
> >>>>> Steve
> >>>>> --
> >>>>> selinux mailing list
> >>>>> selinux at lists.fedoraproject.org
> >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>
> >>>>>
> >>>> What directory is the socket in?
> >>>
> >>> /var/log/BackupPC
> >>>
> >>> Steve
> >>
> >> The BackupPC package comes with labeling in F12/F13 of
> >> httpd_sys_content_t.
> >>
> >> # matchpathcon /var/log/BackupPC/
> >> /var/log/BackupPC system_u:object_r:httpd_sys_content_t:s0
> >>
> >> Execute the following, should fix the problem
> >>
> >> # semanage fcontext -a -t httpd_sys_content_t
> >> '/var/log/BackupPC(/.*)?'
> >> # restorecon -R -v /var/log/BackupPC
> >
> > No luck.
> >
> > This did relabel the files in /var/log/BackupPC
> >
> > [root at steve ~]# ls -lZ /var/log/BackupPC
> > -r--r--r--. backuppc backuppc
> > system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid
> > srwxr-x---. backuppc backuppc
> > system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
> > ...
> >
> > but SELinux still won't let me access the server. I get a slightly
> > different but essentially the same AVC as before:
> >
> > Raw Audit Messages :
> >
> > node=steve.blackwell type=AVC
> > msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
> > comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
> > scontext=system_u:system_r:httpd_t:s0
> > tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
> >
> > node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
> > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
> > a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
> > uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
> > tty=(none) ses=4294967295 comm="perl5.10.0"
> > exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
> > key=(null)
> >
> > So it looks to my untrained eye that we have a process with context
> > system_u:system_r:httpd_t:s0
> > trying to write to a file that has a context
> > system_u:object_r:httpd_sys_content_t:s0
> >
> > and there is no rule to say that this is OK. Is that about right?
> >
> > Thanks,
> > Steve
> > --
> > selinux mailing list
> > selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> You can add the ok rule using audit2allow
>
> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
> mybackuppc
> # semodule -i mybackuppc.pp
OK, a little progress. Now I am getting a socket connect denial.
Will repeating the audit2allow process to correct this?
Thanks,
Steve
More information about the selinux
mailing list