F12: SeLinux reports illegal httpd access to .index files?

Daniel B. Thurman dant at cdkkt.com
Fri Mar 5 19:32:14 UTC 2010


> On 03/05/2010 01:08 PM, Daniel B. Thurman wrote:
>> Seems to me, that httpd should not be looking at 
>> /usr/share/snmp/.../.index
>> files?  Notice that the .index file appears and for some reason httpd 
>> thinks
>> it should be looking at it!?!?  I don't know what to make of it.
>>
>> Here is what I got from selinuxtool:
>> ================================================
>> Summary:
>>
>> SELinux is preventing /usr/sbin/httpd "write" access to
>> /usr/share/snmp/mibs/.index.
>>
>> Detailed Description:
>>
>> SELinux denied access requested by httpd. /usr/share/snmp/mibs/.index
>> may be a
>> mislabeled. /usr/share/snmp/mibs/.index default SELinux type is
>> snmpd_var_lib_t,
>> but its current type is usr_t. Changing this file back to the default
>> type, may
>> fix your problem.
>>
>> File contexts can be assigned to a file in the following ways.
>>
>>     * Files created in a directory receive the file context of the 
>> parent
>>       directory by default.
>>     * The SELinux policy might override the default label inherited 
>> from the
>>       parent directory by specifying a process running in context A 
>> which
>> creates
>>       a file in a directory labeled B will instead create the file with
>> label C.
>>       An example of this would be the dhcp client running with the
>> dhclient_t type
>>       and creating a file in the directory /etc. This file would 
>> normally
>> receive
>>       the etc_t type due to parental inheritance but instead the file is
>> labeled
>>       with the net_conf_t type because the SELinux policy specifies 
>> this.
>>     * Users can change the file context on a file using tools such as
>> chcon, or
>>       restorecon.
>>
>> This file could have been mislabeled either by user error, or if an 
>> normally
>> confined application was run under the wrong domain.
>>
>> However, this might also indicate a bug in SELinux because the file
>> should not
>> have been labeled with this type.
>>
>> If you believe this is a bug, please file a bug report against this 
>> package.
>>
>> Allowing Access:
>>
>> You can restore the default system context to this file by executing the
>> restorecon command. restorecon '/usr/share/snmp/mibs/.index', if this
>> file is a
>> directory, you can recursively restore using restorecon -R
>> '/usr/share/snmp/mibs/.index'.
>>
>> Fix Command:
>>
>> /sbin/restorecon '/usr/share/snmp/mibs/.index'
>>
>> Additional Information:
>>
>> Source Context                system_u:system_r:httpd_t:s0
>> Target Context                unconfined_u:object_r:usr_t:s0
>> Target Objects                /usr/share/snmp/mibs/.index [ file ]
>> Source                        httpd
>> Source Path                   /usr/sbin/httpd
>> Port<Unknown>
>> Host                          gold.cdkkt.com
>> Source RPM Packages           httpd-2.2.14-1.fc12
>> Target RPM Packages
>> Policy RPM                    selinux-policy-3.6.32-89.fc12
>> Selinux Enabled               True
>> Policy Type                   targeted
>> Enforcing Mode                Enforcing
>> Plugin Name                   restorecon
>> Host Name                     gold.cdkkt.com
>> Platform                      Linux gold.cdkkt.com
>> 2.6.31.12-174.2.22.fc12.i686
>>                                 #1 SMP Fri Feb 19 19:26:06 UTC 2010 
>> i686 i686
>> Alert Count                   1
>> First Seen                    Tue 02 Mar 2010 02:35:14 PM PST
>> Last Seen                     Tue 02 Mar 2010 02:35:14 PM PST
>> Local ID                      985d0293-7cc2-401b-85b0-d8273b14364e
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=gold.cdkkt.com type=AVC msg=audit(1267569314.169:39991): avc:
>> denied  { write } for  pid=2133 comm="httpd" name=".index" dev=sdb8
>> ino=520318 scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
>>
>> node=gold.cdkkt.com type=SYSCALL msg=audit(1267569314.169:39991):
>> arch=40000003 syscall=5 success=no exit=-13 a0=bfe6fa10 a1=8241 a2=1b6
>> a3=b7181e7f items=0 ppid=1 pid=2133 auid=4294967295 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
>> key=(null)
>>
>>
>> -- 
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> That file is owned by snmp
>
> I think some snmp library is causing httpd to write there.
>
> The problem is that it is mislabeled.
>
> matchpathcon /usr/share/snmp/mibs/.index
> /usr/share/snmp/mibs/.index    system_u:object_r:snmpd_var_lib_t:s0
>
> If you fix the label, I believe the avc will go away.

1) How did the label get set this way in the first place?
2) Perhaps I should do:
     # touch /.autorelabel   OR
     restorecon -R /
     And that should update the latest policies on all (mislabled) files?

For now, I did:
# chcon -u system_u -t snmpd_var_lib_t /usr/share/snmp/mibs/.index



More information about the selinux mailing list