F12: SeLinux reports illegal httpd access to .index files?

Daniel B. Thurman dant at cdkkt.com
Sat Mar 6 00:49:36 UTC 2010 

> On 03/05/2010 02:32 PM, Daniel B. Thurman wrote:
>>> On 03/05/2010 01:08 PM, Daniel B. Thurman wrote:
>>>> Seems to me, that httpd should not be looking at
>>>> /usr/share/snmp/.../.index
>>>> files?  Notice that the .index file appears and for some reason httpd
>>>> thinks
>>>> it should be looking at it!?!?  I don't know what to make of it.
>>>>
>>>> Here is what I got from selinuxtool:
>>>> ================================================
>>>> Summary:
>>>>
>>>> SELinux is preventing /usr/sbin/httpd "write" access to
>>>> /usr/share/snmp/mibs/.index.
>>>>
>>>> Detailed Description:
>>>>
>>>> SELinux denied access requested by httpd. /usr/share/snmp/mibs/.index
>>>> may be a
>>>> mislabeled. /usr/share/snmp/mibs/.index default SELinux type is
>>>> snmpd_var_lib_t,
>>>> but its current type is usr_t. Changing this file back to the default
>>>> type, may
>>>> fix your problem.
>>>>
>>>> File contexts can be assigned to a file in the following ways.
>>>>
>>>>      * Files created in a directory receive the file context of the
>>>> parent
>>>>        directory by default.
>>>>      * The SELinux policy might override the default label inherited
>>>> from the
>>>>        parent directory by specifying a process running in context A
>>>> which
>>>> creates
>>>>        a file in a directory labeled B will instead create the file 
>>>> with
>>>> label C.
>>>>        An example of this would be the dhcp client running with the
>>>> dhclient_t type
>>>>        and creating a file in the directory /etc. This file would
>>>> normally
>>>> receive
>>>>        the etc_t type due to parental inheritance but instead the 
>>>> file is
>>>> labeled
>>>>        with the net_conf_t type because the SELinux policy specifies
>>>> this.
>>>>      * Users can change the file context on a file using tools such as
>>>> chcon, or
>>>>        restorecon.
>>>>
>>>> This file could have been mislabeled either by user error, or if an
>>>> normally
>>>> confined application was run under the wrong domain.
>>>>
>>>> However, this might also indicate a bug in SELinux because the file
>>>> should not
>>>> have been labeled with this type.
>>>>
>>>> If you believe this is a bug, please file a bug report against this
>>>> package.
>>>>
>>>> Allowing Access:
>>>>
>>>> You can restore the default system context to this file by 
>>>> executing the
>>>> restorecon command. restorecon '/usr/share/snmp/mibs/.index', if this
>>>> file is a
>>>> directory, you can recursively restore using restorecon -R
>>>> '/usr/share/snmp/mibs/.index'.
>>>>
>>>> Fix Command:
>>>>
>>>> /sbin/restorecon '/usr/share/snmp/mibs/.index'
>>>>
>>>> Additional Information:
>>>>
>>>> Source Context                system_u:system_r:httpd_t:s0
>>>> Target Context                unconfined_u:object_r:usr_t:s0
>>>> Target Objects                /usr/share/snmp/mibs/.index [ file ]
>>>> Source                        httpd
>>>> Source Path                   /usr/sbin/httpd
>>>> Port<Unknown>
>>>> Host                          gold.cdkkt.com
>>>> Source RPM Packages           httpd-2.2.14-1.fc12
>>>> Target RPM Packages
>>>> Policy RPM                    selinux-policy-3.6.32-89.fc12
>>>> Selinux Enabled               True
>>>> Policy Type                   targeted
>>>> Enforcing Mode                Enforcing
>>>> Plugin Name                   restorecon
>>>> Host Name                     gold.cdkkt.com
>>>> Platform                      Linux gold.cdkkt.com
>>>> 2.6.31.12-174.2.22.fc12.i686
>>>>                                  #1 SMP Fri Feb 19 19:26:06 UTC 2010
>>>> i686 i686
>>>> Alert Count                   1
>>>> First Seen                    Tue 02 Mar 2010 02:35:14 PM PST
>>>> Last Seen                     Tue 02 Mar 2010 02:35:14 PM PST
>>>> Local ID                      985d0293-7cc2-401b-85b0-d8273b14364e
>>>> Line Numbers
>>>>
>>>> Raw Audit Messages
>>>>
>>>> node=gold.cdkkt.com type=AVC msg=audit(1267569314.169:39991): avc:
>>>> denied  { write } for  pid=2133 comm="httpd" name=".index" dev=sdb8
>>>> ino=520318 scontext=system_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
>>>>
>>>> node=gold.cdkkt.com type=SYSCALL msg=audit(1267569314.169:39991):
>>>> arch=40000003 syscall=5 success=no exit=-13 a0=bfe6fa10 a1=8241 a2=1b6
>>>> a3=b7181e7f items=0 ppid=1 pid=2133 auid=4294967295 uid=0 gid=0 euid=0
>>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
>>>> comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0
>>>> key=(null)
>>>>
>>>>
>>>> -- 
>>>> selinux mailing list
>>>> selinux at lists.fedoraproject.org
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>>>>
>>> That file is owned by snmp
>>>
>>> I think some snmp library is causing httpd to write there.
>>>
>>> The problem is that it is mislabeled.
>>>
>>> matchpathcon /usr/share/snmp/mibs/.index
>>> /usr/share/snmp/mibs/.index    system_u:object_r:snmpd_var_lib_t:s0
>>>
>>> If you fix the label, I believe the avc will go away.
>> 1) How did the label get set this way in the first place?
>> 2) Perhaps I should do:
>>       # touch /.autorelabel   OR
>>       restorecon -R /
>>       And that should update the latest policies on all (mislabled) 
>> files?
>>
>> For now, I did:
>> # chcon -u system_u -t snmpd_var_lib_t /usr/share/snmp/mibs/.index
>>
>> -- 
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
> No just the restorecon will be fine.  That file probably did not exist 
> originally and some unconfined app created it with the wrong label.  
> Once you run restorecon on it, the label should stay.   If it becomes 
> mislabeled again, please contact me.
Ok, I changed .index to the old setting and ran
`restorecon .index' and it properly restored the
attributes.

Thanks!
Dan

More information about the selinux mailing list