Daniel J Walsh wrote:
You are in permissive mode, if you were in enforcing these would show
up
as unlabeled_t.
system:object_r:httpd_sys_script_exec_t:s0
should be
system_u:object_r:httpd_sys_script_exec_t:
I think you did a chcon system:object_r:httpd_sys_script_exec_t:s0 -R
/...apps/trac/<proj>/cgi-bin/
Basically the kernel is telling you it has no idea what the user system
is.
Looking through my (root's) history, no. I did an semanage. To be on the
positive side, in case I did a full reinstall, I did it again, and the
restorecon -v , which had no o/p. I then redid it, with a -m in place of
-a, and again the restorecon -v said nothing.
So, tail -f /var/log/messages, I went to the site, and here's more info:
it's complaining about access to ./db/trac.db. Should that be
ll -Z db
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ./
drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ../
-rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0
sqlite.26.1394654363.bak
-rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 trac.db
Or should the db directory and the trac.db have different contexts so that
selinux does not complain when trac wants to write to them, or create the
tempfile of db/trac.db-journal?
mark
On 04/02/2014 09:53 AM, m.roth(a)5-cent.us wrote:
> Daniel J Walsh wrote:
>> Mark could you send the actual AVC?
>>
>> On 04/01/2014 02:27 PM, m.roth(a)5-cent.us wrote:
>>> CentOS 6.5, current.
>>>
>>> ll -aZ /.../apps/trac/<proj>/cgi-bin/
>>> drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0 .
>>> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ..
>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>> trac.cgi
>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>> trac.fcgi
>>> -rwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
>>> trac.wsgi
>>>
>>> httpd_enable_cgi --> on
>>>
>>>
>>> Name : selinux-policy-targeted
>>> Version : 3.7.19
>>> Release : 231.el6
>>>
>>> From the sealert:
>>> SELinux is preventing /usr/bin/python from ioctl access on the file
>>> /public/apps/trac/PLT/cgi-bin/trac.cgi.
>>>
>>> ***** Plugin restorecon (94.8 confidence) suggests
>>> *************************
>>>
>>> If you want to fix the label.
>>> /<...>/apps/trac/<...>/cgi-bin/trac.cgi default label should be
>>> httpd_sys_script_exec_t.
>>> Then you can run restorecon.
>>> Do
>>> # /sbin/restorecon -v /public/apps/trac/PLT/cgi-bin/trac.cgi
> Ok... took me a bit to figure out which of the current AVCs resulted in
> yesterday's. I *think* it's this:
> type=AVC msg=audit(1396374681.854:721317): avc: denied { ioctl } for
> pid=11906 comm="trac.cgi"
path="/public/apps/trac/PLT/cgi-bin/trac.cgi"
> dev=sda3 ino=10272821 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
>
> Yes, grep AVC /var/log/audit/audit.log | grep trac.cgi | grep ioc | grep
> -v unlabel
> returns nothing. I *may* be getting closer, because, in the raw AVCs, I
> also find:
> type=AVC msg=audit(1396374115.280:721170): avc: denied { add_name }
> for
> pid=10822 comm="trac.cgi" name="trac.db-journal"
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
>
> Let me say that the trac project directory has fcontexts of
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 ./
> drwxr-xr-x. apache root system:object_r:default_t:s0 ../
> -rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 README
> -rw-r--r--. apache root system:object_r:httpd_sys_content_t:s0 VERSION
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0
> attachments/
> drwxr-xr-x. apache root system:object_r:httpd_sys_script_exec_t:s0
> cgi-bin/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 conf/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 db/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 htdocs/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 log/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0 plugins/
> drwxr-xr-x. apache root system:object_r:httpd_sys_content_t:s0
> templates/
>
> I do *not* see a db/trac.db-journal (we're in permissive mode), so I'm
> guessing it's a true temporary file - my first thought is to make
> transactions atomic, and so roll-backable. There's also no log file -
> something I've just taken care of via the apache setup.
>
> However, I'm concerned - I did set all those fcontexts using semanage,
> not chcon. *What* is this "unlabelled" in the AVC?
>