Help with messed up F11 SELinux

Daniel J Walsh dwalsh at redhat.com
Tue Apr 27 17:17:09 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2010 12:18 PM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 11:31:57 -0400
> Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>> Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>> Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>>>
>>>>>
>>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>>> point my browser at my local BackupPC server page a get an
>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>
>>>>>>> Raw Audit Messages :
>>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138): avc:
>>>>>>> denied { write } for pid=31707 comm="perl5.10.0"
>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>>
>>>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272289200.98:138):
>>>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfbd44e0
>>>>>>> a2=cfe4ac a3=9317008 items=0 ppid=2037 pid=31707 auid=4294967295
>>>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48
>>>>>>> fsgid=48 tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>>>> key=(null)
>>>>>>>
>>>>>>> Now I know I could change the context of that socket file but
>>>>>>> I'm guessing that it gets created every time and so that is not
>>>>>>> a permanent solution. Is there a boolean I need to set; nothing
>>>>>>> looked obvious or perhaps a BackupPC policy I need to install?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Steve
>>>>>>> --
>>>>>>> selinux mailing list
>>>>>>> selinux at lists.fedoraproject.org
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>>
>>>>>> What directory is the socket in?
>>>>>
>>>>> /var/log/BackupPC
>>>>>
>>>>> Steve
>>>>
>>>> The BackupPC package comes with labeling in F12/F13 of
>>>> httpd_sys_content_t.
>>>>
>>>> # matchpathcon /var/log/BackupPC/
>>>> /var/log/BackupPC	system_u:object_r:httpd_sys_content_t:s0
>>>>
>>>> Execute the following, should fix the problem
>>>>
>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>> '/var/log/BackupPC(/.*)?' 
>>>> # restorecon -R -v /var/log/BackupPC
>>>
>>> No luck.
>>>
>>> This did relabel the files in /var/log/BackupPC
>>>
>>> [root at steve ~]# ls -lZ /var/log/BackupPC
>>> -r--r--r--. backuppc backuppc
>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid 
>>> srwxr-x---. backuppc backuppc
>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>>> ...
>>>
>>> but SELinux still won't let me access the server. I get a slightly
>>> different but essentially the same AVC as before:
>>>
>>> Raw Audit Messages :
>>>
>>> node=steve.blackwell type=AVC
>>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>>>
>>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>> key=(null) 
>>>
>>> So it looks to my untrained eye that we have a process with context
>>> system_u:system_r:httpd_t:s0 
>>> trying to write to a file that has a context
>>> system_u:object_r:httpd_sys_content_t:s0
>>>
>>> and there is no rule to say that this is OK. Is that about right?
>>>
>>> Thanks,
>>> Steve
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>> You can add the ok rule using audit2allow
>>
>> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow -M
>> mybackuppc
>> # semodule -i mybackuppc.pp
> 
> OK, a little progress. Now I am getting a socket connect denial.
> Will repeating the audit2allow process to correct this?
> 
> Thanks,
> Steve
yes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvXHBUACgkQrlYvE4MpobM04gCg4cunuKobL/5XAhhyS+UVRn+f
El4AnRpyJ2jjHqYozA6Q/XaJg99uTEqI
=UocO
-----END PGP SIGNATURE-----

More information about the selinux mailing list