F12: SeLinux reports illegal httpd access to .index files?

Daniel J Walsh dwalsh at redhat.com
Fri Mar 5 18:47:01 UTC 2010 

On 03/05/2010 01:08 PM, Daniel B. Thurman wrote:
> Seems to me, that httpd should not be looking at /usr/share/snmp/.../.index
> files?  Notice that the .index file appears and for some reason httpd thinks
> it should be looking at it!?!?  I don't know what to make of it.
>
> Here is what I got from selinuxtool:
> ================================================
> Summary:
>
> SELinux is preventing /usr/sbin/httpd "write" access to
> /usr/share/snmp/mibs/.index.
>
> Detailed Description:
>
> SELinux denied access requested by httpd. /usr/share/snmp/mibs/.index
> may be a
> mislabeled. /usr/share/snmp/mibs/.index default SELinux type is
> snmpd_var_lib_t,
> but its current type is usr_t. Changing this file back to the default
> type, may
> fix your problem.
>
> File contexts can be assigned to a file in the following ways.
>
>     * Files created in a directory receive the file context of the parent
>       directory by default.
>     * The SELinux policy might override the default label inherited from the
>       parent directory by specifying a process running in context A which
> creates
>       a file in a directory labeled B will instead create the file with
> label C.
>       An example of this would be the dhcp client running with the
> dhclient_t type
>       and creating a file in the directory /etc. This file would normally
> receive
>       the etc_t type due to parental inheritance but instead the file is
> labeled
>       with the net_conf_t type because the SELinux policy specifies this.
>     * Users can change the file context on a file using tools such as
> chcon, or
>       restorecon.
>
> This file could have been mislabeled either by user error, or if an normally
> confined application was run under the wrong domain.
>
> However, this might also indicate a bug in SELinux because the file
> should not
> have been labeled with this type.
>
> If you believe this is a bug, please file a bug report against this package.
>
> Allowing Access:
>
> You can restore the default system context to this file by executing the
> restorecon command. restorecon '/usr/share/snmp/mibs/.index', if this
> file is a
> directory, you can recursively restore using restorecon -R
> '/usr/share/snmp/mibs/.index'.
>
> Fix Command:
>
> /sbin/restorecon '/usr/share/snmp/mibs/.index'
>
> Additional Information:
>
> Source Context                system_u:system_r:httpd_t:s0
> Target Context                unconfined_u:object_r:usr_t:s0
> Target Objects                /usr/share/snmp/mibs/.index [ file ]
> Source                        httpd
> Source Path                   /usr/sbin/httpd
> Port<Unknown>
> Host                          gold.cdkkt.com
> Source RPM Packages           httpd-2.2.14-1.fc12
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.32-89.fc12
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Plugin Name                   restorecon
> Host Name                     gold.cdkkt.com
> Platform                      Linux gold.cdkkt.com
> 2.6.31.12-174.2.22.fc12.i686
>                                 #1 SMP Fri Feb 19 19:26:06 UTC 2010 i686 i686
> Alert Count                   1
> First Seen                    Tue 02 Mar 2010 02:35:14 PM PST
> Last Seen                     Tue 02 Mar 2010 02:35:14 PM PST
> Local ID                      985d0293-7cc2-401b-85b0-d8273b14364e
> Line Numbers
>
> Raw Audit Messages
>
> node=gold.cdkkt.com type=AVC msg=audit(1267569314.169:39991): avc:
> denied  { write } for  pid=2133 comm="httpd" name=".index" dev=sdb8
> ino=520318 scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
>
> node=gold.cdkkt.com type=SYSCALL msg=audit(1267569314.169:39991):
> arch=40000003 syscall=5 success=no exit=-13 a0=bfe6fa10 a1=8241 a2=1b6
> a3=b7181e7f items=0 ppid=1 pid=2133 auid=4294967295 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>    
That file is owned by snmp

I think some snmp library is causing httpd to write there.

The problem is that it is mislabeled.

matchpathcon /usr/share/snmp/mibs/.index
/usr/share/snmp/mibs/.index    system_u:object_r:snmpd_var_lib_t:s0

If you fix the label, I believe the avc will go away.

More information about the selinux mailing list