SElinux issue

Daniel J Walsh dwalsh at redhat.com
Tue Sep 29 16:53:55 UTC 2015 

Looks like prelude.te provides the prewikka code.

grep prew *
prelude.fc:/usr/share/*prew*ikka/cgi-bin(/.*)?	gen_context(system_u:object_r:*prew*ikka_script_exec_t,s0)
prelude.te:	apache_content_template(*prew*ikka)
prelude.te:	apache_content_alias_template(*prew*ikka, *prew*ikka)
prelude.te:	can_exec(*prew*ikka_script_t, *prew*ikka_script_exec_t)
prelude.te:	files_search_tmp(*prew*ikka_script_t)
prelude.te:	kernel_read_sysctl(*prew*ikka_script_t)
prelude.te:	kernel_search_network_sysctl(*prew*ikka_script_t)
prelude.te:	auth_use_nsswitch(*prew*ikka_script_t)
prelude.te:	logging_send_syslog_msg(*prew*ikka_script_t)
prelude.te:	apache_search_sys_content(*prew*ikka_script_t)
prelude.te:		mysql_stream_connect(*prew*ikka_script_t)
prelude.te:		mysql_tcp_connect(*prew*ikka_script_t)
prelude.te:		postgresql_stream_connect(*prew*ikka_script_t)
prelude.te:		postgresql_tcp_connect(*prew*ikka_script_t)

semodule -l | grep prelude





On 09/25/2015 06:51 PM, Paolo Galtieri wrote:
> Daniel,
>   on the machine on which things work there is a prewikka.pp file, but
> on the one that fails there isn't.  On the system
> that fails I have the following prewikka policy file (prewikkapol.te):
>
> module prewikka 1.0;
>
> require {
>
>     type tmp_t;
>
>     type init_var_run_t;
>
>     type httpd_prewikka_script_t;
>
>     type sysfs_t;
>
>     class dir { read search };
>
> }
>
> #============= httpd_prewikka_script_t ==============
>
> allow httpd_prewikka_script_t init_var_run_t:dir search;
>
> allow httpd_prewikka_script_t sysfs_t:dir read;
>
> allow httpd_prewikka_script_t tmp_t:dir read;
>
> and the corresponding prewikkapol.pp file.
>
> On the system that works I have the following prewikka policy file
> (prewikka.te):
>
> module prewikka 1.0;
>
> require {
>
>     type tmp_t;
>
>     type init_var_run_t;
>
>     type httpd_prewikka_script_t;
>
>     type sysfs_t;
>
>     class dir { read search };
>
> }
>
> #============= httpd_prewikka_script_t ==============
>
> allow httpd_prewikka_script_t init_var_run_t:dir search;
>
> allow httpd_prewikka_script_t sysfs_t:dir read;
>
> allow httpd_prewikka_script_t tmp_t:dir read;
>
> and the corresponding prewikka.pp file.  So as far as I know the
> prewikka policy files are present, and neither says
> anything about httpd_prewikka_rw_content_t.
>
> Also if I run
>
> semodule -l
>
> the appropriate policy file is shown.
>
> I tried disabling the module:
>
> sudo semodule -d prewikkapol
> [sudo] password for pgaltieri:
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
> /usr/share/prewikka/htdocs/generated_images [all files] (Invalid
> argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> semodule:  Failed!
>
> I tried to remove the module:
>
> sudo semodule -r prewikkapol
> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
> defined (No such file or directory).
> libsepol.context_from_record: could not create context structure
> (Invalid argument).
> libsemanage.validate_handler: invalid context
> system_u:object_r:httpd_prewikka_rw_content_t:s0 specified for
> /usr/share/prewikka/htdocs/generated_images [all files] (Invalid
> argument).
> libsemanage.dbase_llist_iterate: could not iterate over records
> (Invalid argument).
> semodule:  Failed!
>
> It does appear though that setsebool still works despite the errors.
>
> Still confused though why I'm seeing the error.
>
> Thanks for the help,
>
> Paolo
>
>
> On 09/25/2015 12:26 PM, Daniel J Walsh wrote:
>> Looks like you might have a prewikka policy around?
>>
>> locate prewikka.pp
>>
>> Did you build a custom policy module?
>>
>> On 09/25/2015 02:30 PM, Paolo Galtieri wrote:
>>> Folks,
>>>    I got an SElinux alert this morning.  The suggestion to correct the
>>> problem was to do:
>>>
>>> setsebool -P unconfined_mozilla_plugin_transition 0
>>>
>>> When I did this I got the following response:
>>>
>>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
>>> defined
>>> libsepol.context_from_record: could not create context structure
>>> libsepol.context_from_string: could not create context structure
>>> libsepol.sepol_context_to_sid: could not convert
>>> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
>>> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
>>> libsepol.context_from_record: type httpd_prewikka_rw_content_t is not
>>> defined
>>> libsepol.context_from_record: could not create context structure
>>> libsepol.context_from_string: could not create context structure
>>> libsepol.sepol_context_to_sid: could not convert
>>> system_u:object_r:httpd_prewikka_rw_content_t:s0 to sid
>>> invalid context system_u:object_r:httpd_prewikka_rw_content_t:s0
>>>
>>> I have 2 systems running F22, I got this response on one of the
>>> systems, but not the other.  When I was running F19 on the affected
>>> system (prior to upgrading to F22) I did have the prewikka packages
>>> installed, but I have since removed them.  However, it appears that
>>> some remnants of those packages remain.
>>>
>>> How do I fix this issue?  I looked in the httpd config files and
>>> couldn't find any reference.
>>>
>>> Any help is appreciated.
>>>
>>> Paolo
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20150929/d1ff1e52/attachment.html>

More information about the users mailing list