F12: /var/run/utmp

Daniel J Walsh dwalsh at redhat.com
Mon Mar 29 12:59:19 UTC 2010 

On 03/28/2010 03:16 PM, Daniel B. Thurman wrote:
> I am not sure what to make of this, so how can I fix it:
>
> ===================================
> Summary:
>
> SELinux is preventing /usr/bin/uptime from using potentially mislabeled
> files
> /var/run/utmp.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux has denied the uptime access to potentially mislabeled files
> /var/run/utmp. This means that SELinux will not allow httpd to use these
> files.
> If httpd should be allowed this access to these files you should change
> the file
> context to one of the following types, abrt_helper_exec_t,
> httpd_helper_exec_t,
> dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
> httpd_nagios_htaccess_t,
> textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t,
> public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t,
> httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
> mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t,
> httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t, httpd_var_lib_t,
> httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t, fail2ban_var_lib_t,
> lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t,
> chroot_exec_t,
> httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t,
> httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t,
> mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t,
> system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
> httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
> httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
> httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
> proc_t, src_t,
> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
> udev_tbl_t,
> abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
> httpd_nagios_content_t,
> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
> httpd_sys_content_rw_t,
> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
> httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
> httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
> httpd_squid_content_t, httpd_awstats_script_exec_t,
> httpd_apcupsd_cgi_content_t,
> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
> httpd_cvs_content_t,
> httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t,
> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
> httpd_bugzilla_content_t,
> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
> httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t,
> httpd_user_content_rw_t, httpd_git_script_exec_t,
> httpd_cobbler_content_ra_t,
> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
> httpd_munin_content_rw_t. Many third party apps install html files in
> directories that SELinux policy cannot predict. These directories have to be
> labeled with a file context which httpd can access.
>
> Allowing Access:
>
> If you want to change the file context of /var/run/utmp so that the
> httpd daemon
> can access it, you need to execute it using semanage fcontext -a -t
> FILE_TYPE
> '/var/run/utmp'.
> where FILE_TYPE is one of the following: abrt_helper_exec_t,
> httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
> httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t,
> ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t,
> rpm_tmp_t, httpd_suexec_exec_t, application_exec_type,
> httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
> httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t,
> mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t,
> ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t, httpd_awstats_htaccess_t,
> httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t,
> public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
> nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t, httpd_keytab_t,
> httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, httpd_cvs_htaccess_t,
> httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t,
> cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t,
> httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
> proc_t, src_t,
> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
> udev_tbl_t,
> abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
> httpd_nagios_content_t,
> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
> httpd_sys_content_rw_t,
> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
> httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
> httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
> httpd_squid_content_t, httpd_awstats_script_exec_t,
> httpd_apcupsd_cgi_content_t,
> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
> httpd_cvs_content_t,
> httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t,
> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
> httpd_bugzilla_content_t,
> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
> httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t,
> httpd_user_content_rw_t, httpd_git_script_exec_t,
> httpd_cobbler_content_ra_t,
> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
> httpd_munin_content_rw_t. You can look at the httpd_selinux man page for
> additional information.
>
> Additional Information:
>
> Source Context                system_u:system_r:httpd_t:s0
> Target Context                system_u:object_r:initrc_var_run_t:s0
> Target Objects                /var/run/utmp [ file ]
> Source                        uptime
> Source Path                   /usr/bin/uptime
> Port<Unknown>
> Host                          host.domain.com
> Source RPM Packages           procps-3.2.8-3.fc12
> Target RPM Packages           initscripts-9.02.1-1
> Policy RPM                    selinux-policy-3.6.32-103.fc12
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Permissive
> Plugin Name                   httpd_bad_labels
> Host Name                     host.domain.com
> Platform                      Linux host.domain.com
> 2.6.32.9-70.fc12.i686 #1 SMP
>                                Wed Mar 3 05:14:32 UTC 2010 i686 i686
> Alert Count                   2
> First Seen                    Sun 28 Mar 2010 12:04:45 PM PDT
> Last Seen                     Sun 28 Mar 2010 12:09:52 PM PDT
> Local ID                      5f9c855c-31e3-42c9-83fd-9c9b6262cd00
> Line Numbers
>
> Raw Audit Messages
>
> node=host.domain.com type=AVC msg=audit(1269803392.422:30): avc:
> denied  { open } for  pid=4900 comm="uptime" name="utmp" dev=sdb10
> ino=206 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>
> node=host.domain.com type=SYSCALL msg=audit(1269803392.422:30):
> arch=40000003 syscall=5 success=yes exit=4 a0=3f5cb5 a1=88000 a2=430680
> a3=3f5cbb items=0 ppid=2613 pid=4900 auid=4294967295 uid=48 gid=489
> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> ses=4294967295 comm="uptime" exe="/usr/bin/uptime"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>    

If you want to allow apache to read the utmp file, just add the allow rules.

# grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpd
# semodule -i myhttpd.pp

You might have to do this a couple of times.  Allowing this means a 
compromised system would be able to see the users that have logged into 
a system.

You can debate if this is worth preventing, but we do not want to allow 
all http servers the ability to read this file.

More information about the selinux mailing list