F12: SeLinux reports illegal httpd access to .index files?
Daniel J Walsh
dwalsh at redhat.com
Fri Mar 5 18:47:01 UTC 2010
On 03/05/2010 01:08 PM, Daniel B. Thurman wrote:
> Seems to me, that httpd should not be looking at /usr/share/snmp/.../.index
> files? Notice that the .index file appears and for some reason httpd thinks
> it should be looking at it!?!? I don't know what to make of it.
>
> Here is what I got from selinuxtool:
> ================================================
> Summary:
>
> SELinux is preventing /usr/sbin/httpd "write" access to
> /usr/share/snmp/mibs/.index.
>
> Detailed Description:
>
> SELinux denied access requested by httpd. /usr/share/snmp/mibs/.index
> may be a
> mislabeled. /usr/share/snmp/mibs/.index default SELinux type is
> snmpd_var_lib_t,
> but its current type is usr_t. Changing this file back to the default
> type, may
> fix your problem.
>
> File contexts can be assigned to a file in the following ways.
>
> * Files created in a directory receive the file context of the parent
> directory by default.
> * The SELinux policy might override the default label inherited from the
> parent directory by specifying a process running in context A which
> creates
> a file in a directory labeled B will instead create the file with
> label C.
> An example of this would be the dhcp client running with the
> dhclient_t type
> and creating a file in the directory /etc. This file would normally
> receive
> the etc_t type due to parental inheritance but instead the file is
> labeled
> with the net_conf_t type because the SELinux policy specifies this.
> * Users can change the file context on a file using tools such as
> chcon, or
> restorecon.
>
> This file could have been mislabeled either by user error, or if an normally
> confined application was run under the wrong domain.
>
> However, this might also indicate a bug in SELinux because the file
> should not
> have been labeled with this type.
>
> If you believe this is a bug, please file a bug report against this package.
>
> Allowing Access:
>
> You can restore the default system context to this file by executing the
> restorecon command. restorecon '/usr/share/snmp/mibs/.index', if this
> file is a
> directory, you can recursively restore using restorecon -R
> '/usr/share/snmp/mibs/.index'.
>
> Fix Command:
>
> /sbin/restorecon '/usr/share/snmp/mibs/.index'
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context unconfined_u:object_r:usr_t:s0
> Target Objects /usr/share/snmp/mibs/.index [ file ]
> Source httpd
> Source Path /usr/sbin/httpd
> Port<Unknown>
> Host gold.cdkkt.com
> Source RPM Packages httpd-2.2.14-1.fc12
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-89.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name restorecon
> Host Name gold.cdkkt.com
> Platform Linux gold.cdkkt.com
> 2.6.31.12-174.2.22.fc12.i686
> #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
> Alert Count 1
> First Seen Tue 02 Mar 2010 02:35:14 PM PST
> Last Seen Tue 02 Mar 2010 02:35:14 PM PST
> Local ID 985d0293-7cc2-401b-85b0-d8273b14364e
> Line Numbers
>
> Raw Audit Messages
>
> node=gold.cdkkt.com type=AVC msg=audit(1267569314.169:39991): avc:
> denied { write } for pid=2133 comm="httpd" name=".index" dev=sdb8
> ino=520318 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
>
> node=gold.cdkkt.com type=SYSCALL msg=audit(1267569314.169:39991):
> arch=40000003 syscall=5 success=no exit=-13 a0=bfe6fa10 a1=8241 a2=1b6
> a3=b7181e7f items=0 ppid=1 pid=2133 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
That file is owned by snmp
I think some snmp library is causing httpd to write there.
The problem is that it is mislabeled.
matchpathcon /usr/share/snmp/mibs/.index
/usr/share/snmp/mibs/.index system_u:object_r:snmpd_var_lib_t:s0
If you fix the label, I believe the avc will go away.
More information about the selinux
mailing list