Help with messed up F11 SELinux

Daniel J Walsh dwalsh at redhat.com
Wed Apr 28 17:27:58 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/27/2010 02:16 PM, Steve Blackwell wrote:
> On Tue, 27 Apr 2010 13:17:09 -0400
> Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 04/27/2010 12:18 PM, Steve Blackwell wrote:
>>> On Tue, 27 Apr 2010 11:31:57 -0400
>>> Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 04/27/2010 10:57 AM, Steve Blackwell wrote:
>>>>> On Tue, 27 Apr 2010 08:45:25 -0400
>>>>> Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>>>
>>>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>>>> Hash: SHA1
>>>>>>
>>>>>> On 04/26/2010 12:41 PM, Steve Blackwell wrote:
>>>>>>> On Mon, 26 Apr 2010 11:11:00 -0400
>>>>>>> Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>>>>>
>>>>>>>
>>>>>>>>> I do still have one (so far) problem though. When I tried to
>>>>>>>>> point my browser at my local BackupPC server page a get an
>>>>>>>>> "Unable to Connect" message and an AVC:
>>>>>>>>>
>>>>>>>>> Raw Audit Messages :
>>>>>>>>> node=steve.blackwell type=AVC msg=audit(1272289200.98:138):
>>>>>>>>> avc: denied { write } for pid=31707 comm="perl5.10.0"
>>>>>>>>> name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>> tcontext=system_u:object_r:var_log_t:s0 tclass=sock_file
>>>>>>>>>
>>>>>>>>> node=steve.blackwell type=SYSCALL
>>>>>>>>> msg=audit(1272289200.98:138): arch=40000003 syscall=102
>>>>>>>>> success=no exit=-13 a0=3 a1=bfbd44e0 a2=cfe4ac a3=9317008
>>>>>>>>> items=0 ppid=2037 pid=31707 auid=4294967295 uid=48 gid=48
>>>>>>>>> euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>>>>>> key=(null)
>>>>>>>>>
>>>>>>>>> Now I know I could change the context of that socket file but
>>>>>>>>> I'm guessing that it gets created every time and so that is
>>>>>>>>> not a permanent solution. Is there a boolean I need to set;
>>>>>>>>> nothing looked obvious or perhaps a BackupPC policy I need to
>>>>>>>>> install?
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Steve
>>>>>>>>> --
>>>>>>>>> selinux mailing list
>>>>>>>>> selinux at lists.fedoraproject.org
>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>
>>>>>>>>>
>>>>>>>> What directory is the socket in?
>>>>>>>
>>>>>>> /var/log/BackupPC
>>>>>>>
>>>>>>> Steve
>>>>>>
>>>>>> The BackupPC package comes with labeling in F12/F13 of
>>>>>> httpd_sys_content_t.
>>>>>>
>>>>>> # matchpathcon /var/log/BackupPC/
>>>>>> /var/log/BackupPC	system_u:object_r:httpd_sys_content_t:s0
>>>>>>
>>>>>> Execute the following, should fix the problem
>>>>>>
>>>>>> # semanage fcontext -a -t httpd_sys_content_t
>>>>>> '/var/log/BackupPC(/.*)?' 
>>>>>> # restorecon -R -v /var/log/BackupPC
>>>>>
>>>>> No luck.
>>>>>
>>>>> This did relabel the files in /var/log/BackupPC
>>>>>
>>>>> [root at steve ~]# ls -lZ /var/log/BackupPC
>>>>> -r--r--r--. backuppc backuppc
>>>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.pid 
>>>>> srwxr-x---. backuppc backuppc
>>>>> system_u:object_r:httpd_sys_content_t:s0 BackupPC.sock
>>>>> ...
>>>>>
>>>>> but SELinux still won't let me access the server. I get a slightly
>>>>> different but essentially the same AVC as before:
>>>>>
>>>>> Raw Audit Messages :
>>>>>
>>>>> node=steve.blackwell type=AVC
>>>>> msg=audit(1272379639.571:319): avc: denied { write } for pid=31612
>>>>> comm="perl5.10.0" name="BackupPC.sock" dev=dm-0 ino=36667496
>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=sock_file
>>>>>
>>>>> node=steve.blackwell type=SYSCALL msg=audit(1272379639.571:319):
>>>>> arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf877390
>>>>> a2=8a34ac a3=8fc7008 items=0 ppid=2031 pid=31612 auid=4294967295
>>>>> uid=48 gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48
>>>>> tty=(none) ses=4294967295 comm="perl5.10.0"
>>>>> exe="/usr/bin/perl5.10.0" subj=system_u:system_r:httpd_t:s0
>>>>> key=(null) 
>>>>>
>>>>> So it looks to my untrained eye that we have a process with
>>>>> context system_u:system_r:httpd_t:s0 
>>>>> trying to write to a file that has a context
>>>>> system_u:object_r:httpd_sys_content_t:s0
>>>>>
>>>>> and there is no rule to say that this is OK. Is that about right?
>>>>>
>>>>> Thanks,
>>>>> Steve
>>>>> --
>>>>> selinux mailing list
>>>>> selinux at lists.fedoraproject.org
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>> You can add the ok rule using audit2allow
>>>>
>>>> # grep httpd_sys_content_t /var/log/audit/audit.log | audit2allow
>>>> -M mybackuppc
>>>> # semodule -i mybackuppc.pp
>>>
>>> OK, a little progress. Now I am getting a socket connect denial.
>>> Will repeating the audit2allow process to correct this?
>>>
>>> Thanks,
>>> Steve
>> yes
> 
> I wasn't sure if running audit2allow a second time would add to
> mybackuppc.pp or replace it so I ran
> 
> # grep "BackupPC.sock" /var/log/audit/audit.log | audit2allow -M
> mybackuppc.pp
> # semodule -i mybackuppc.pp
> 
> I also noticed a boolean called httpd_can_network_connect. This would
> have worked too, correct?
> 
> Now I can connect to the server but I get a different AVC:
> 
> Raw Audit Messages :
> node=steve.blackwell type=AVC msg=audit(1272391254.10:349): avc: denied
> { read } for pid=406 comm="perl5.10.0" name="disk" dev=dm-0 ino=32931842
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:mnt_t:s0 tclass=lnk_file
> 
> node=steve.blackwell type=SYSCALL msg=audit(1272391254.10:349):
> arch=40000003 syscall=195 success=no exit=-13 a0=8d02824 a1=8b8e0c0
> a2=4fbff4 a3=8b8e008 items=0 ppid=2033 pid=406 auid=4294967295 uid=48
> gid=48 euid=495 suid=495 fsuid=495 egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295 comm="perl5.10.0" exe="/usr/bin/perl5.10.0"
> subj=system_u:system_r:httpd_t:s0 key=(null) 
> 
> disk is a link to an external USB drive where I keep the backups
> 
> [root at steve ~]# ls -lZ /media
> drwxr-xr-x. root  root  system_u:object_r:mnt_t:s0
> <the USB disk UUID>
> lrwxrwxrwx. root  root  system_u:object_r:mnt_t:s0       disk ->
> <the USB disk UUID>
> 
> So do I need to relabel the disk httpd_sys_content_t next?
> 
> Steve
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 
You could use something like
 mount -o context="system_u:object_r:httpd_sys_content_t:s0"

Which will tell mount to mount your disk with this label.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkvYcB4ACgkQrlYvE4MpobN4aQCg1OldKQ27BBTQ4yoqFax+xvTY
jLQAoJzcJsmJPDLpo2E0aGGj1KZRSFSl
=oFHJ
-----END PGP SIGNATURE-----

More information about the selinux mailing list