F12: SeLinux reports illegal httpd access to .index files?
Daniel B. Thurman
dant at cdkkt.com
Fri Mar 5 19:32:14 UTC 2010
> On 03/05/2010 01:08 PM, Daniel B. Thurman wrote:
>> Seems to me, that httpd should not be looking at
>> /usr/share/snmp/.../.index
>> files? Notice that the .index file appears and for some reason httpd
>> thinks
>> it should be looking at it!?!? I don't know what to make of it.
>>
>> Here is what I got from selinuxtool:
>> ================================================
>> Summary:
>>
>> SELinux is preventing /usr/sbin/httpd "write" access to
>> /usr/share/snmp/mibs/.index.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by httpd. /usr/share/snmp/mibs/.index
>> may be a
>> mislabeled. /usr/share/snmp/mibs/.index default SELinux type is
>> snmpd_var_lib_t,
>> but its current type is usr_t. Changing this file back to the default
>> type, may
>> fix your problem.
>>
>> File contexts can be assigned to a file in the following ways.
>>
>> * Files created in a directory receive the file context of the
>> parent
>> directory by default.
>> * The SELinux policy might override the default label inherited
>> from the
>> parent directory by specifying a process running in context A
>> which
>> creates
>> a file in a directory labeled B will instead create the file with
>> label C.
>> An example of this would be the dhcp client running with the
>> dhclient_t type
>> and creating a file in the directory /etc. This file would
>> normally
>> receive
>> the etc_t type due to parental inheritance but instead the file is
>> labeled
>> with the net_conf_t type because the SELinux policy specifies
>> this.
>> * Users can change the file context on a file using tools such as
>> chcon, or
>> restorecon.
>>
>> This file could have been mislabeled either by user error, or if an
>> normally
>> confined application was run under the wrong domain.
>>
>> However, this might also indicate a bug in SELinux because the file
>> should not
>> have been labeled with this type.
>>
>> If you believe this is a bug, please file a bug report against this
>> package.
>>
>> Allowing Access:
>>
>> You can restore the default system context to this file by executing the
>> restorecon command. restorecon '/usr/share/snmp/mibs/.index', if this
>> file is a
>> directory, you can recursively restore using restorecon -R
>> '/usr/share/snmp/mibs/.index'.
>>
>> Fix Command:
>>
>> /sbin/restorecon '/usr/share/snmp/mibs/.index'
>>
>> Additional Information:
>>
>> Source Context system_u:system_r:httpd_t:s0
>> Target Context unconfined_u:object_r:usr_t:s0
>> Target Objects /usr/share/snmp/mibs/.index [ file ]
>> Source httpd
>> Source Path /usr/sbin/httpd
>> Port<Unknown>
>> Host gold.cdkkt.com
>> Source RPM Packages httpd-2.2.14-1.fc12
>> Target RPM Packages
>> Policy RPM selinux-policy-3.6.32-89.fc12
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Enforcing
>> Plugin Name restorecon
>> Host Name gold.cdkkt.com
>> Platform Linux gold.cdkkt.com
>> 2.6.31.12-174.2.22.fc12.i686
>> #1 SMP Fri Feb 19 19:26:06 UTC 2010
>> i686 i686
>> Alert Count 1
>> First Seen Tue 02 Mar 2010 02:35:14 PM PST
>> Last Seen Tue 02 Mar 2010 02:35:14 PM PST
>> Local ID 985d0293-7cc2-401b-85b0-d8273b14364e
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=gold.cdkkt.com type=AVC msg=audit(1267569314.169:39991): avc:
>> denied { write } for pid=2133 comm="httpd" name=".index" dev=sdb8
>> ino=520318 scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
>>
>> node=gold.cdkkt.com type=SYSCALL msg=audit(1267569314.169:39991):
>> arch=40000003 syscall=5 success=no exit=-13 a0=bfe6fa10 a1=8241 a2=1b6
>> a3=b7181e7f items=0 ppid=1 pid=2133 auid=4294967295 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
>> key=(null)
>>
>>
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> That file is owned by snmp
>
> I think some snmp library is causing httpd to write there.
>
> The problem is that it is mislabeled.
>
> matchpathcon /usr/share/snmp/mibs/.index
> /usr/share/snmp/mibs/.index system_u:object_r:snmpd_var_lib_t:s0
>
> If you fix the label, I believe the avc will go away.
1) How did the label get set this way in the first place?
2) Perhaps I should do:
# touch /.autorelabel OR
restorecon -R /
And that should update the latest policies on all (mislabled) files?
For now, I did:
# chcon -u system_u -t snmpd_var_lib_t /usr/share/snmp/mibs/.index
More information about the selinux
mailing list