Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1060249 - selinux blocks access to /tmp (httpd_w3c_validator_script)
Summary: selinux blocks access to /tmp (httpd_w3c_validator_script)
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 19
Hardware: i686
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-31 15:16 UTC by Radek Liboska
Modified: 2015-02-18 11:02 UTC (History)
2 users (show)

Fixed In Version: not fixed
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-18 11:02:07 UTC


Attachments (Terms of Use)

Description Radek Liboska 2014-01-31 15:16:41 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. enter URL of a web page to "Validate by URI" input box (Firefox with loaded page http://x.x.x/w3c-validator/) 
2. hit "Check" button
3.

Actual results:

IN THE BROWSER:

Software error:

Error in tempfile() using /tmp/XXXXXXXXXX: Could not create temp file /tmp/QTiFqUgstl: Permission denied at /usr/lib/perl5/vendor_perl/SGML/Parser/OpenSP.pm line 65.

For help, please send mail to the webmaster (root@localhost), giving this error message and the time and date of the error. 


ON THE x.x.x. SERVER: 
$ audit2why -a

type=AVC msg=audit(1391178413.466:80326): avc:  denied  { write } for  pid=2245 comm="check" name="tmp" dev="tmpfs" ino=16493 scontext=system_u:system_r:httpd_w3c_validator_script_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
	Was caused by:
		Missing type enforcement (TE) allow rule.
		You can use audit2allow to generate a loadable module to allow this access.


Expected results:

An output page of the w3c validator

Additional info:

SE Linux apparently blocks access to /tmp for w3c validator cgi-bin script.

Comment 1 Radek Liboska 2014-02-06 14:00:58 UTC
nobody cares? Another common application, which is not working in Fedora?

So additional info:



SELinux is preventing /usr/bin/perl from write access on the directory tmp.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that perl should be allowed write access on the tmp directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep check /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_w3c_validator_script_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                tmp [ dir ]
Source                        check
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          xxxxxxxxxxxxxxxxx
Source RPM Packages           perl-5.16.3-266.fc19.i686
Target RPM Packages           filesystem-3.2-13.fc19.i686
Policy RPM                    selinux-policy-3.12.1-74.17.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xxxxxxxxxxxxxxxxx
Platform                      Linux xxxxxxxxxxx 3.12.9-201.fc19.i686.PAE
                              #1 SMP Wed Jan 29 15:52:11 UTC 2014 i686 i686
Alert Count                   1
First Seen                    2014-02-06 14:34:29 CET
Last Seen                     2014-02-06 14:34:29 CET
Local ID                      9c8ba554-f3f4-46da-b3c4-def67eeaecb6

Raw Audit Messages
type=AVC msg=audit(1391693669.703:481): avc:  denied  { write } for  pid=18245 comm="check" name="tmp" dev="tmpfs" ino=16473 scontext=system_u:system_r:httpd_w3c_validator_script_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir


type=SYSCALL msg=audit(1391693669.703:481): arch=i386 syscall=open success=no exit=EACCES a0=963a2c0 a1=280c2 a2=180 a3=0 items=0 ppid=4099 pid=18245 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=check exe=/usr/bin/perl subj=system_u:system_r:httpd_w3c_validator_script_t:s0 key=(null)

Hash: check,httpd_w3c_validator_script_t,tmp_t,dir,write

Comment 2 Radek Liboska 2014-02-14 16:37:46 UTC
Problem solved, thank you for nothing Nathanael - no more bugzilla reports from me in the future! Adios 




module httpd_w3c_validator_script 1.0;

require {
        type httpd_w3c_validator_script_t;
        type tmp_t;
        class dir { write remove_name add_name };
        class file { write create unlink open setattr };
}

#============= httpd_w3c_validator_script_t ==============
allow httpd_w3c_validator_script_t tmp_t:dir { write remove_name add_name };
allow httpd_w3c_validator_script_t tmp_t:file { write create open setattr unlink };

Comment 3 Nathanael Noblet 2014-02-14 19:15:35 UTC
@selinux maintainers - can you take a look at this and let me know if you can allow this script to create/write to tmp files?

@Radek - calm down its been 2 weeks and this is a free / volunteer project. Instead of complaining about how slow I am perhaps become a co-maintainer?

Comment 4 Daniel Walsh 2014-02-14 19:18:20 UTC
Well we can allow this but it is not the way we would have done it.

Comment 5 Daniel Walsh 2014-02-14 19:20:56 UTC
2e4888ee8dbff9307ad7b5780918ccc790f98850 fixes this in git.

Comment 6 Fedora End Of Life 2015-01-09 22:23:56 UTC
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 7 Fedora End Of Life 2015-02-18 11:02:07 UTC
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.