Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 234267 - sens_day.cgi rrdtool scripts (from lm_sensors) generate avc: denied errors
Summary: sens_day.cgi rrdtool scripts (from lm_sensors) generate avc: denied errors
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-28 00:10 UTC by Need Real Name
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-05-17 15:39:59 UTC

Attachments (Terms of Use)
Type inforcement file for sensors cgi script (deleted)
2007-04-03 14:01 UTC, Daniel Walsh
no flags Details
File context file for sensors cgi (deleted)
2007-04-03 14:05 UTC, Daniel Walsh
no flags Details

Description Need Real Name 2007-03-28 00:10:20 UTC
I have compiled and added the cgi scripts that come in the lm_sensors tarball
(but are not included yet in the FC6 standard rpm, though they are included in
some other repos like ATrpms).

Running the cgi scripts generate the following avc: denied errors

avc:  denied  { read } comm="sens_day.cgi" name="sensors.rrd" scontext=system_u\
:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=\
avc:  denied  { getattr } comm="sens_day.cgi" name="sensors.rrd" scontext=syste\
m_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tcla\

I can 'fix' it by adding them to my local.avc file but I was wondering whether
this should be added more cleanly and generally to the selinux targeted policy.


BTW, am I the only one who actually runs selinux in 'enforcing' mode and thus
gets 'hit' by these denials? :)

Comment 1 Daniel Walsh 2007-04-03 13:59:54 UTC
To make this work correctly we would need to define a policy for lm_sensors and
a type for sensors.rrd. Then we define a policy httpd_sensors_script_t to read
the log file.

Comment 2 Daniel Walsh 2007-04-03 14:01:26 UTC
Created attachment 151562 [details]
Type inforcement file for sensors cgi script

I am attaching a te and fc file which can be used to build a policy module for
the sensors cgi scripts.

Comment 3 Daniel Walsh 2007-04-03 14:05:25 UTC
Created attachment 151563 [details]
File context file for sensors cgi

I was not sure of the path for the sensors cgi.

If you extract this file (fc and the te file to a directory,)
Verify/fix the path in the sensors.fc file.  Then execute the following
commands to build an selinux policy module.

#yum install selinux-policy-devel
#make -f /usr/share/selinux/devel/Makefile
#semodule -i sensors.pp
#restorecon PATHTOCGI
Now you should be able to run the cgi scripts.	If other avc messages appear
you can use audit2allow to generate more te rules.  Add these to the sensors.te
file, recompile and reload.

Note You need to log in before you can comment on or make changes to this bug.