FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-28-2010, 07:16 PM
"Daniel B. Thurman"
 
Default F12: /var/run/utmp

I am not sure what to make of this, so how can I fix it:

===================================
Summary:

SELinux is preventing /usr/bin/uptime from using potentially mislabeled
files
/var/run/utmp.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied the uptime access to potentially mislabeled files
/var/run/utmp. This means that SELinux will not allow httpd to use these
files.
If httpd should be allowed this access to these files you should change
the file
context to one of the following types, abrt_helper_exec_t,
httpd_helper_exec_t,
dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
httpd_nagios_htaccess_t,
textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t,
public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t,
httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t,
httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t, httpd_var_lib_t,
httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t, fail2ban_var_lib_t,
lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t,
chroot_exec_t,
httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t,
httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t,
mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t,
system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
proc_t, src_t,
sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
udev_tbl_t,
abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
httpd_nagios_content_t,
httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
httpd_sys_content_rw_t,
httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_apcupsd_cgi_content_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
httpd_cvs_content_t,
httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t,
httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
httpd_bugzilla_content_t,
httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t,
httpd_user_content_rw_t, httpd_git_script_exec_t,
httpd_cobbler_content_ra_t,
httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
httpd_munin_content_rw_t. Many third party apps install html files in
directories that SELinux policy cannot predict. These directories have to be
labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of /var/run/utmp so that the
httpd daemon
can access it, you need to execute it using semanage fcontext -a -t
FILE_TYPE
'/var/run/utmp'.
where FILE_TYPE is one of the following: abrt_helper_exec_t,
httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t,
ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t,
rpm_tmp_t, httpd_suexec_exec_t, application_exec_type,
httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t,
mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t,
ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t, httpd_awstats_htaccess_t,
httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t,
public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t, httpd_keytab_t,
httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, httpd_cvs_htaccess_t,
httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t,
cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t,
httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
proc_t, src_t,
sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
udev_tbl_t,
abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
httpd_nagios_content_t,
httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
httpd_sys_content_rw_t,
httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_apcupsd_cgi_content_t,
httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
httpd_cvs_content_t,
httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t,
httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
httpd_bugzilla_content_t,
httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t,
httpd_user_content_rw_t, httpd_git_script_exec_t,
httpd_cobbler_content_ra_t,
httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
httpd_munin_content_rw_t. You can look at the httpd_selinux man page for
additional information.

Additional Information:

Source Context system_u:system_r:httpd_t:s0
Target Context system_ubject_r:initrc_var_run_t:s0
Target Objects /var/run/utmp [ file ]
Source uptime
Source Path /usr/bin/uptime
Port <Unknown>
Host host.domain.com
Source RPM Packages procps-3.2.8-3.fc12
Target RPM Packages initscripts-9.02.1-1
Policy RPM selinux-policy-3.6.32-103.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name httpd_bad_labels
Host Name host.domain.com
Platform Linux host.domain.com
2.6.32.9-70.fc12.i686 #1 SMP
Wed Mar 3 05:14:32 UTC 2010 i686 i686
Alert Count 2
First Seen Sun 28 Mar 2010 12:04:45 PM PDT
Last Seen Sun 28 Mar 2010 12:09:52 PM PDT
Local ID 5f9c855c-31e3-42c9-83fd-9c9b6262cd00
Line Numbers

Raw Audit Messages

node=host.domain.com type=AVC msg=audit(1269803392.422:30): avc:
denied { open } for pid=4900 comm="uptime" name="utmp" dev=sdb10
ino=206 scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_r:initrc_var_run_t:s0 tclass=file

node=host.domain.com type=SYSCALL msg=audit(1269803392.422:30):
arch=40000003 syscall=5 success=yes exit=4 a0=3f5cb5 a1=88000 a2=430680
a3=3f5cbb items=0 ppid=2613 pid=4900 auid=4294967295 uid=48 gid=489
euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
ses=4294967295 comm="uptime" exe="/usr/bin/uptime"
subj=system_u:system_r:httpd_t:s0 key=(null)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-29-2010, 12:59 PM
Daniel J Walsh
 
Default F12: /var/run/utmp

On 03/28/2010 03:16 PM, Daniel B. Thurman wrote:
> I am not sure what to make of this, so how can I fix it:
>
> ===================================
> Summary:
>
> SELinux is preventing /usr/bin/uptime from using potentially mislabeled
> files
> /var/run/utmp.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux has denied the uptime access to potentially mislabeled files
> /var/run/utmp. This means that SELinux will not allow httpd to use these
> files.
> If httpd should be allowed this access to these files you should change
> the file
> context to one of the following types, abrt_helper_exec_t,
> httpd_helper_exec_t,
> dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
> httpd_nagios_htaccess_t,
> textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t,
> public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t,
> httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
> mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t,
> httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t, httpd_var_lib_t,
> httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t, fail2ban_var_lib_t,
> lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t,
> chroot_exec_t,
> httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t,
> httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t,
> mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t,
> system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
> httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
> httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
> httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
> proc_t, src_t,
> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
> udev_tbl_t,
> abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
> httpd_nagios_content_t,
> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
> httpd_sys_content_rw_t,
> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
> httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
> httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
> httpd_squid_content_t, httpd_awstats_script_exec_t,
> httpd_apcupsd_cgi_content_t,
> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
> httpd_cvs_content_t,
> httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t,
> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
> httpd_bugzilla_content_t,
> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
> httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t,
> httpd_user_content_rw_t, httpd_git_script_exec_t,
> httpd_cobbler_content_ra_t,
> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
> httpd_munin_content_rw_t. Many third party apps install html files in
> directories that SELinux policy cannot predict. These directories have to be
> labeled with a file context which httpd can access.
>
> Allowing Access:
>
> If you want to change the file context of /var/run/utmp so that the
> httpd daemon
> can access it, you need to execute it using semanage fcontext -a -t
> FILE_TYPE
> '/var/run/utmp'.
> where FILE_TYPE is one of the following: abrt_helper_exec_t,
> httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
> httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t,
> ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t,
> rpm_tmp_t, httpd_suexec_exec_t, application_exec_type,
> httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
> httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t,
> mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t,
> ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t, httpd_awstats_htaccess_t,
> httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t,
> public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t,
> nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t, httpd_keytab_t,
> httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t, httpd_cvs_htaccess_t,
> httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t,
> cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t,
> httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
> proc_t, src_t,
> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
> udev_tbl_t,
> abrt_t, httpd_tmp_t, lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t,
> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
> httpd_nagios_content_t,
> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
> httpd_sys_content_rw_t,
> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
> httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_cobbler_script_exec_t,
> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
> httpd_squid_content_rw_t, httpd_prewikka_content_t, httpd_munin_content_t,
> httpd_squid_content_t, httpd_awstats_script_exec_t,
> httpd_apcupsd_cgi_content_t,
> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
> httpd_cvs_content_t,
> httpd_sys_content_t, httpd_sys_content_t, root_t, httpd_munin_script_exec_t,
> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
> httpd_bugzilla_content_t,
> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
> httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t,
> httpd_user_content_rw_t, httpd_git_script_exec_t,
> httpd_cobbler_content_ra_t,
> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
> httpd_munin_content_rw_t. You can look at the httpd_selinux man page for
> additional information.
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_ubject_r:initrc_var_run_t:s0
> Target Objects /var/run/utmp [ file ]
> Source uptime
> Source Path /usr/bin/uptime
> Port<Unknown>
> Host host.domain.com
> Source RPM Packages procps-3.2.8-3.fc12
> Target RPM Packages initscripts-9.02.1-1
> Policy RPM selinux-policy-3.6.32-103.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name httpd_bad_labels
> Host Name host.domain.com
> Platform Linux host.domain.com
> 2.6.32.9-70.fc12.i686 #1 SMP
> Wed Mar 3 05:14:32 UTC 2010 i686 i686
> Alert Count 2
> First Seen Sun 28 Mar 2010 12:04:45 PM PDT
> Last Seen Sun 28 Mar 2010 12:09:52 PM PDT
> Local ID 5f9c855c-31e3-42c9-83fd-9c9b6262cd00
> Line Numbers
>
> Raw Audit Messages
>
> node=host.domain.com type=AVC msg=audit(1269803392.422:30): avc:
> denied { open } for pid=4900 comm="uptime" name="utmp" dev=sdb10
> ino=206 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_r:initrc_var_run_t:s0 tclass=file
>
> node=host.domain.com type=SYSCALL msg=audit(1269803392.422:30):
> arch=40000003 syscall=5 success=yes exit=4 a0=3f5cb5 a1=88000 a2=430680
> a3=3f5cbb items=0 ppid=2613 pid=4900 auid=4294967295 uid=48 gid=489
> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> ses=4294967295 comm="uptime" exe="/usr/bin/uptime"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>

If you want to allow apache to read the utmp file, just add the allow rules.

# grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpd
# semodule -i myhttpd.pp

You might have to do this a couple of times. Allowing this means a
compromised system would be able to see the users that have logged into
a system.

You can debate if this is worth preventing, but we do not want to allow
all http servers the ability to read this file.


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-30-2010, 04:00 PM
"Daniel B. Thurman"
 
Default F12: /var/run/utmp

On 03/29/2010 05:59 AM, Daniel J Walsh wrote:
> On 03/28/2010 03:16 PM, Daniel B. Thurman wrote:
>> I am not sure what to make of this, so how can I fix it:
>>
>> ===================================
>> Summary:
>>
>> SELinux is preventing /usr/bin/uptime from using potentially mislabeled
>> files
>> /var/run/utmp.
>>
>> Detailed Description:
>>
>> [SELinux is in permissive mode. This access was not denied.]
>>
>> SELinux has denied the uptime access to potentially mislabeled files
>> /var/run/utmp. This means that SELinux will not allow httpd to use these
>> files.
>> If httpd should be allowed this access to these files you should change
>> the file
>> context to one of the following types, abrt_helper_exec_t,
>> httpd_helper_exec_t,
>> dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
>> httpd_nagios_htaccess_t,
>> textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t,
>> public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t,
>> httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
>> mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t,
>> httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t,
>> httpd_var_lib_t,
>> httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t,
>> fail2ban_var_lib_t,
>> lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t,
>> chroot_exec_t,
>> httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t,
>> httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t,
>> mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t,
>> system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
>> httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
>> httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
>> httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
>> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
>> proc_t, src_t,
>> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
>> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
>> udev_tbl_t,
>> abrt_t, httpd_tmp_t, lib_t, shell_exec_t,
>> httpd_w3c_validator_htaccess_t,
>> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
>> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
>> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
>> httpd_nagios_content_t,
>> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
>> httpd_sys_content_rw_t,
>> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
>> httpd_git_content_ra_t, httpd_git_content_rw_t,
>> httpd_cobbler_script_exec_t,
>> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
>> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
>> httpd_squid_content_rw_t, httpd_prewikka_content_t,
>> httpd_munin_content_t,
>> httpd_squid_content_t, httpd_awstats_script_exec_t,
>> httpd_apcupsd_cgi_content_t,
>> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
>> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
>> httpd_cvs_content_t,
>> httpd_sys_content_t, httpd_sys_content_t, root_t,
>> httpd_munin_script_exec_t,
>> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
>> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
>> httpd_bugzilla_content_t,
>> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
>> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
>> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
>> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
>> httpd_awstats_content_t, httpd_sys_script_exec_t,
>> httpd_user_content_ra_t,
>> httpd_user_content_rw_t, httpd_git_script_exec_t,
>> httpd_cobbler_content_ra_t,
>> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
>> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
>> httpd_munin_content_rw_t. Many third party apps install html files in
>> directories that SELinux policy cannot predict. These directories
>> have to be
>> labeled with a file context which httpd can access.
>>
>> Allowing Access:
>>
>> If you want to change the file context of /var/run/utmp so that the
>> httpd daemon
>> can access it, you need to execute it using semanage fcontext -a -t
>> FILE_TYPE
>> '/var/run/utmp'.
>> where FILE_TYPE is one of the following: abrt_helper_exec_t,
>> httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t,
>> httpd_php_exec_t,
>> httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t,
>> ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t,
>> rpm_tmp_t, httpd_suexec_exec_t, application_exec_type,
>> httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
>> httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t,
>> mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t,
>> ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t,
>> httpd_awstats_htaccess_t,
>> httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t,
>> public_content_rw_t, httpd_bugzilla_htaccess_t,
>> httpd_cobbler_htaccess_t,
>> nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t,
>> httpd_keytab_t,
>> httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
>> httpd_cvs_htaccess_t,
>> httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t,
>> cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t,
>> httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t,
>> locale_t,
>> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
>> proc_t, src_t,
>> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
>> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
>> udev_tbl_t,
>> abrt_t, httpd_tmp_t, lib_t, shell_exec_t,
>> httpd_w3c_validator_htaccess_t,
>> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
>> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
>> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
>> httpd_nagios_content_t,
>> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
>> httpd_sys_content_rw_t,
>> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
>> httpd_git_content_ra_t, httpd_git_content_rw_t,
>> httpd_cobbler_script_exec_t,
>> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
>> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
>> httpd_squid_content_rw_t, httpd_prewikka_content_t,
>> httpd_munin_content_t,
>> httpd_squid_content_t, httpd_awstats_script_exec_t,
>> httpd_apcupsd_cgi_content_t,
>> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
>> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
>> httpd_cvs_content_t,
>> httpd_sys_content_t, httpd_sys_content_t, root_t,
>> httpd_munin_script_exec_t,
>> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
>> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
>> httpd_bugzilla_content_t,
>> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
>> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
>> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
>> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
>> httpd_awstats_content_t, httpd_sys_script_exec_t,
>> httpd_user_content_ra_t,
>> httpd_user_content_rw_t, httpd_git_script_exec_t,
>> httpd_cobbler_content_ra_t,
>> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
>> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
>> httpd_munin_content_rw_t. You can look at the httpd_selinux man page for
>> additional information.
>>
>> Additional Information:
>>
>> Source Context system_u:system_r:httpd_t:s0
>> Target Context system_ubject_r:initrc_var_run_t:s0
>> Target Objects /var/run/utmp [ file ]
>> Source uptime
>> Source Path /usr/bin/uptime
>> Port<Unknown>
>> Host host.domain.com
>> Source RPM Packages procps-3.2.8-3.fc12
>> Target RPM Packages initscripts-9.02.1-1
>> Policy RPM selinux-policy-3.6.32-103.fc12
>> Selinux Enabled True
>> Policy Type targeted
>> Enforcing Mode Permissive
>> Plugin Name httpd_bad_labels
>> Host Name host.domain.com
>> Platform Linux host.domain.com
>> 2.6.32.9-70.fc12.i686 #1 SMP
>> Wed Mar 3 05:14:32 UTC 2010 i686 i686
>> Alert Count 2
>> First Seen Sun 28 Mar 2010 12:04:45 PM PDT
>> Last Seen Sun 28 Mar 2010 12:09:52 PM PDT
>> Local ID 5f9c855c-31e3-42c9-83fd-9c9b6262cd00
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=host.domain.com type=AVC msg=audit(1269803392.422:30): avc:
>> denied { open } for pid=4900 comm="uptime" name="utmp" dev=sdb10
>> ino=206 scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_ubject_r:initrc_var_run_t:s0 tclass=file
>>
>> node=host.domain.com type=SYSCALL msg=audit(1269803392.422:30):
>> arch=40000003 syscall=5 success=yes exit=4 a0=3f5cb5 a1=88000 a2=430680
>> a3=3f5cbb items=0 ppid=2613 pid=4900 auid=4294967295 uid=48 gid=489
>> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
>> ses=4294967295 comm="uptime" exe="/usr/bin/uptime"
>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>>
>
> If you want to allow apache to read the utmp file, just add the allow
> rules.
>
> # grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpd
> # semodule -i myhttpd.pp
>
> You might have to do this a couple of times. Allowing this means a
> compromised system would be able to see the users that have logged
> into a system.
>
> You can debate if this is worth preventing, but we do not want to
> allow all http servers the ability to read this file.
>
>
Hmm... seems like there is no way to get around this - is there
a reason why httpd is attempting to access this in the first place,
if so, why or why isn't this being removed or better yet, can access
be disabled via some httpd option?

I have applied the above policy, and is there a way to remove it
later? I also noticed when applying the policy, the following
appears in /var/log/messages:

Mar 30 08:53:09 host dbus: avc: received policyload notice (seqno=2)
Mar 30 08:53:09 host dbus: Can't send to audit system: USER_AVC avc:
received policyload notice (seqno=2)#012: exe="?" sauid=81 hostname=?
addr=? terminal=?
Mar 30 08:53:11 host dbus: Reloaded configuration

Still getting dbus errors?

It also happens when I use setenforce 0 or 1

Keep in mind that I have zoneminder installed but I am not
sure that this is the cause of the problem since it is not clear
what program is actually invoking the /usr/bin/uptime binary.

Thanks-
Dan


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-30-2010, 04:10 PM
Daniel J Walsh
 
Default F12: /var/run/utmp

On 03/30/2010 12:00 PM, Daniel B. Thurman wrote:
> On 03/29/2010 05:59 AM, Daniel J Walsh wrote:
>
>> On 03/28/2010 03:16 PM, Daniel B. Thurman wrote:
>>
>>> I am not sure what to make of this, so how can I fix it:
>>>
>>> ===================================
>>> Summary:
>>>
>>> SELinux is preventing /usr/bin/uptime from using potentially mislabeled
>>> files
>>> /var/run/utmp.
>>>
>>> Detailed Description:
>>>
>>> [SELinux is in permissive mode. This access was not denied.]
>>>
>>> SELinux has denied the uptime access to potentially mislabeled files
>>> /var/run/utmp. This means that SELinux will not allow httpd to use these
>>> files.
>>> If httpd should be allowed this access to these files you should change
>>> the file
>>> context to one of the following types, abrt_helper_exec_t,
>>> httpd_helper_exec_t,
>>> dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
>>> httpd_nagios_htaccess_t,
>>> textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t,
>>> public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t,
>>> httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
>>> mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t,
>>> httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t,
>>> httpd_var_lib_t,
>>> httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t,
>>> fail2ban_var_lib_t,
>>> lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t,
>>> chroot_exec_t,
>>> httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t,
>>> httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t,
>>> mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t,
>>> system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
>>> httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
>>> httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
>>> httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
>>> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
>>> proc_t, src_t,
>>> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
>>> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
>>> udev_tbl_t,
>>> abrt_t, httpd_tmp_t, lib_t, shell_exec_t,
>>> httpd_w3c_validator_htaccess_t,
>>> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
>>> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
>>> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
>>> httpd_nagios_content_t,
>>> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
>>> httpd_sys_content_rw_t,
>>> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
>>> httpd_git_content_ra_t, httpd_git_content_rw_t,
>>> httpd_cobbler_script_exec_t,
>>> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
>>> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
>>> httpd_squid_content_rw_t, httpd_prewikka_content_t,
>>> httpd_munin_content_t,
>>> httpd_squid_content_t, httpd_awstats_script_exec_t,
>>> httpd_apcupsd_cgi_content_t,
>>> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
>>> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
>>> httpd_cvs_content_t,
>>> httpd_sys_content_t, httpd_sys_content_t, root_t,
>>> httpd_munin_script_exec_t,
>>> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
>>> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
>>> httpd_bugzilla_content_t,
>>> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
>>> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
>>> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
>>> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
>>> httpd_awstats_content_t, httpd_sys_script_exec_t,
>>> httpd_user_content_ra_t,
>>> httpd_user_content_rw_t, httpd_git_script_exec_t,
>>> httpd_cobbler_content_ra_t,
>>> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
>>> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
>>> httpd_munin_content_rw_t. Many third party apps install html files in
>>> directories that SELinux policy cannot predict. These directories
>>> have to be
>>> labeled with a file context which httpd can access.
>>>
>>> Allowing Access:
>>>
>>> If you want to change the file context of /var/run/utmp so that the
>>> httpd daemon
>>> can access it, you need to execute it using semanage fcontext -a -t
>>> FILE_TYPE
>>> '/var/run/utmp'.
>>> where FILE_TYPE is one of the following: abrt_helper_exec_t,
>>> httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t,
>>> httpd_php_exec_t,
>>> httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t,
>>> ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t,
>>> rpm_tmp_t, httpd_suexec_exec_t, application_exec_type,
>>> httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
>>> httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t,
>>> mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t,
>>> ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t,
>>> httpd_awstats_htaccess_t,
>>> httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t,
>>> public_content_rw_t, httpd_bugzilla_htaccess_t,
>>> httpd_cobbler_htaccess_t,
>>> nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t,
>>> httpd_keytab_t,
>>> httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
>>> httpd_cvs_htaccess_t,
>>> httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t,
>>> cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t,
>>> httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t,
>>> locale_t,
>>> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
>>> proc_t, src_t,
>>> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
>>> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
>>> udev_tbl_t,
>>> abrt_t, httpd_tmp_t, lib_t, shell_exec_t,
>>> httpd_w3c_validator_htaccess_t,
>>> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
>>> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
>>> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
>>> httpd_nagios_content_t,
>>> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
>>> httpd_sys_content_rw_t,
>>> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
>>> httpd_git_content_ra_t, httpd_git_content_rw_t,
>>> httpd_cobbler_script_exec_t,
>>> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
>>> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
>>> httpd_squid_content_rw_t, httpd_prewikka_content_t,
>>> httpd_munin_content_t,
>>> httpd_squid_content_t, httpd_awstats_script_exec_t,
>>> httpd_apcupsd_cgi_content_t,
>>> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
>>> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
>>> httpd_cvs_content_t,
>>> httpd_sys_content_t, httpd_sys_content_t, root_t,
>>> httpd_munin_script_exec_t,
>>> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
>>> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
>>> httpd_bugzilla_content_t,
>>> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
>>> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
>>> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
>>> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
>>> httpd_awstats_content_t, httpd_sys_script_exec_t,
>>> httpd_user_content_ra_t,
>>> httpd_user_content_rw_t, httpd_git_script_exec_t,
>>> httpd_cobbler_content_ra_t,
>>> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
>>> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
>>> httpd_munin_content_rw_t. You can look at the httpd_selinux man page for
>>> additional information.
>>>
>>> Additional Information:
>>>
>>> Source Context system_u:system_r:httpd_t:s0
>>> Target Context system_ubject_r:initrc_var_run_t:s0
>>> Target Objects /var/run/utmp [ file ]
>>> Source uptime
>>> Source Path /usr/bin/uptime
>>> Port<Unknown>
>>> Host host.domain.com
>>> Source RPM Packages procps-3.2.8-3.fc12
>>> Target RPM Packages initscripts-9.02.1-1
>>> Policy RPM selinux-policy-3.6.32-103.fc12
>>> Selinux Enabled True
>>> Policy Type targeted
>>> Enforcing Mode Permissive
>>> Plugin Name httpd_bad_labels
>>> Host Name host.domain.com
>>> Platform Linux host.domain.com
>>> 2.6.32.9-70.fc12.i686 #1 SMP
>>> Wed Mar 3 05:14:32 UTC 2010 i686 i686
>>> Alert Count 2
>>> First Seen Sun 28 Mar 2010 12:04:45 PM PDT
>>> Last Seen Sun 28 Mar 2010 12:09:52 PM PDT
>>> Local ID 5f9c855c-31e3-42c9-83fd-9c9b6262cd00
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=host.domain.com type=AVC msg=audit(1269803392.422:30): avc:
>>> denied { open } for pid=4900 comm="uptime" name="utmp" dev=sdb10
>>> ino=206 scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_ubject_r:initrc_var_run_t:s0 tclass=file
>>>
>>> node=host.domain.com type=SYSCALL msg=audit(1269803392.422:30):
>>> arch=40000003 syscall=5 success=yes exit=4 a0=3f5cb5 a1=88000 a2=430680
>>> a3=3f5cbb items=0 ppid=2613 pid=4900 auid=4294967295 uid=48 gid=489
>>> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
>>> ses=4294967295 comm="uptime" exe="/usr/bin/uptime"
>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>>
>>>
>> If you want to allow apache to read the utmp file, just add the allow
>> rules.
>>
>> # grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpd
>> # semodule -i myhttpd.pp
>>
>> You might have to do this a couple of times. Allowing this means a
>> compromised system would be able to see the users that have logged
>> into a system.
>>
>> You can debate if this is worth preventing, but we do not want to
>> allow all http servers the ability to read this file.
>>
>>
>>
> Hmm... seems like there is no way to get around this - is there
> a reason why httpd is attempting to access this in the first place,
> if so, why or why isn't this being removed or better yet, can access
> be disabled via some httpd option?
>
>
It is the uptime command that is reading utmp

man uptime
...
FILES
/var/run/utmp information about who is currently logged on

> I have applied the above policy, and is there a way to remove it
> later? I also noticed when applying the policy, the following
> appears in /var/log/messages:
>
>
semodule -r myhttp

Will remove a module named myhttp
> Mar 30 08:53:09 host dbus: avc: received policyload notice (seqno=2)
> Mar 30 08:53:09 host dbus: Can't send to audit system: USER_AVC avc:
> received policyload notice (seqno=2)#012: exe="?" sauid=81 hostname=?
> addr=? terminal=?
> Mar 30 08:53:11 host dbus: Reloaded configuration
>
> Still getting dbus errors?
>
>
This is a dbus bug, being unable to send and audit message. It can be
safely be ignored. Or open another bug with dbus.
> It also happens when I use setenforce 0 or 1
>
> Keep in mind that I have zoneminder installed but I am not
> sure that this is the cause of the problem since it is not clear
> what program is actually invoking the /usr/bin/uptime binary.
>
> Thanks-
> Dan
>
>
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 10:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org