Subgit (www.subgit.com) is a system for reflecting Subversion repository changes to a Git mirror or vice versa. In the former case, it uses a pre-commit script to spawn a Java daemon that monitors and mirrors the updates.
When run in enforcing mode, the daemon fails to start and the commit fails when the spawn attempt times out. No error appears in the audit log.
When run in permissive mode, the spawn succeeds d the commit works. The program that is supposed to spawn the daemon has context
system_u:object_r:httpd_sys_script_exec_t:s0
The directory where the PID file is supposed to write its lock file is
The error reported by Subgit on failure is:
Failed to launch background translation process: timeout waiting for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
(FlopC++ is the repository name).
What policy change do I need to implement to make this work in enforcing mode? Or how can I debug the process and what information should I bring to the list for help?
Thanks in advance.
If you're not seeing any errors in your audit logs, you can temporarily disable the don't audit rules by executing:
# semodule -DB
It may also be nice to allow Apache to run in permissive mode while you're trying to troubleshoot. This would replace any use of setenforce 0. Just remember to put it back when you're done troubleshooting
# semanage permissive -a httpd_t
When you've done that, share any AVCs that you get.
# ausearch -m avc,user_avc -ts recent
On Tue, Sep 22, 2015 at 12:51 PM Matthew Saltzman mjs@clemson.edu wrote:
Subgit (www.subgit.com) is a system for reflecting Subversion repository changes to a Git mirror or vice versa. In the former case, it uses a pre-commit script to spawn a Java daemon that monitors and mirrors the updates.
When run in enforcing mode, the daemon fails to start and the commit fails when the spawn attempt times out. No error appears in the audit log.
When run in permissive mode, the spawn succeeds d the commit works. The program that is supposed to spawn the daemon has context
system_u:object_r:httpd_sys_script_exec_t:s0
The directory where the PID file is supposed to write its lock file is
The error reported by Subgit on failure is:
Failed to launch background translation process: timeout waiting for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
(FlopC++ is the repository name).
What policy change do I need to implement to make this work in enforcing mode? Or how can I debug the process and what information should I bring to the list for help?
Thanks in advance.
-- Matthew Saltzman Clemson University Math Sciences mjs AT clemson DOT edu -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
On 22/09/15 18:50, Matthew Saltzman wrote:
for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
Probably not the best location for a pid file. I'd suspect that write access to anything under /var/www is disallowed. Can you not move it to /var/run?
*I* can't. It's hard-coded in a compiled executable. I could make that recommendation to the Subgit folks. I suspect they may do that because they know for sure where the directory they are executing from is, but they may not feel they have a guarantee that /var/run is available in every *nix distribution.
On the other hand, the Subversion repositories themselves are in /var/www/svn and interacting with them works fine (including writes), modulo this issue.
Trevor
On 09/22/2015 08:37 PM, Matthew Saltzman wrote:
On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
On 22/09/15 18:50, Matthew Saltzman wrote:
for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
Probably not the best location for a pid file. I'd suspect that write access to anything under /var/www is disallowed. Can you not move it to /var/run?
*I* can't. It's hard-coded in a compiled executable. I could make that recommendation to the Subgit folks. I suspect they may do that because they know for sure where the directory they are executing from is, but they may not feel they have a guarantee that /var/run is available in every *nix distribution.
We can label /var/www/svn/FlopC++/subgit for example if it is owned by a package.
The main gole is we need to get AVCs. Try to re-test it and run
#ausearch -m avc,user_avc -ts recent
On the other hand, the Subversion repositories themselves are in /var/www/svn and interacting with them works fine (including writes), modulo this issue.
Trevor
On Wed, 2015-09-23 at 09:13 +0200, Miroslav Grepl wrote:
On 09/22/2015 08:37 PM, Matthew Saltzman wrote:
On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
On 22/09/15 18:50, Matthew Saltzman wrote:
for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
Probably not the best location for a pid file. I'd suspect that write access to anything under /var/www is disallowed. Can you not move it to /var/run?
*I* can't. It's hard-coded in a compiled executable. I could make that recommendation to the Subgit folks. I suspect they may do that because they know for sure where the directory they are executing from is, but they may not feel they have a guarantee that /var/run is available in every *nix distribution.
We can label /var/www/svn/FlopC++/subgit for example if it is owned by a package.
The main gole is we need to get AVCs. Try to re-test it and run
#ausearch -m avc,user_avc -ts recent
On the other hand, the Subversion repositories themselves are in /var/www/svn and interacting with them works fine (including writes), modulo this issue.
Trevor
OK Here's a list of AVCs. I tried to cull the ones that seemed obviously not related (because they referred to an unrelated file or command) but there may be some extraneous ones left. These are from two commits. Interestingly, even though SELInux is in permissive mode, the commits failed with the same timeout message.
Also, how do I turn the don't-audit rules back on?
# ausearch -m avc,user_avc -ts recent ---- time->Mon Sep 28 11:20:25 2015 type=SYSCALL msg=audit(1443453625.601:66129): arch=c000003e syscall=42 success=no exit=-115 a0=31 a1=7ffe641dece0 a2=10 a3=bf items=0 ppid=1622 pid=9033 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1443453625.601:66129): avc: denied { name_connect } for pid=9033 comm="/usr/sbin/httpd" dest=9999 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket ---- time->Mon Sep 28 11:22:55 2015 type=SYSCALL msg=audit(1443453775.469:66135): arch=c000003e syscall=59 success=yes exit=0 a0=7fe700a14de8 a1=7fe700a14e30 a2=7ffe641e0bd0 a3=7ffe641e0930 items=0 ppid=9185 pid=9631 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pre-commit" exe="/usr/bin/bash" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453775.469:66135): avc: denied { noatsecure } for pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process type=AVC msg=audit(1443453775.469:66135): avc: denied { siginh } for pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process type=AVC msg=audit(1443453775.469:66135): avc: denied { rlimitinh } for pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process ---- time->Mon Sep 28 11:22:57 2015 type=SYSCALL msg=audit(1443453777.094:66136): arch=c000003e syscall=9 success=yes exit=140281970163712 a0=7f95f1000000 a1=270000 a2=7 a3=32 items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453777.094:66136): avc: denied { execmem } for pid=9661 comm="java" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process ---- time->Mon Sep 28 11:23:15 2015 type=SYSCALL msg=audit(1443453795.817:66138): arch=c000003e syscall=2 success=yes exit=13 a0=7f95ce143344 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453795.817:66138): avc: denied { open } for pid=9661 comm="java" path="/proc/9658/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1443453795.817:66138): avc: denied { read } for pid=9661 comm="java" name="if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Mon Sep 28 11:23:15 2015 type=SYSCALL msg=audit(1443453795.817:66139): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7f95fd98bc50 a2=7f95fd98bc50 a3=0 items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453795.817:66139): avc: denied { getattr } for pid=9661 comm="java" path="/proc/9658/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Mon Sep 28 11:23:19 2015 type=SYSCALL msg=audit(1443453799.038:66141): arch=c000003e syscall=50 success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7f95fd98e230 items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453799.038:66141): avc: denied { listen } for pid=9661 comm="java" laddr=::ffff:127.0.0.1 lport=43865 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket ---- time->Mon Sep 28 11:25:17 2015 type=SYSCALL msg=audit(1443453917.466:66160): arch=c000003e syscall=2 success=yes exit=13 a0=7fbff9c58344 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453917.466:66160): avc: denied { open } for pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1443453917.466:66160): avc: denied { read } for pid=10084 comm="java" name="if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Mon Sep 28 11:25:17 2015 type=SYSCALL msg=audit(1443453917.466:66161): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fc025453c50 a2=7fc025453c50 a3=0 items=0 ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453917.466:66161): avc: denied { getattr } for pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file ---- time->Mon Sep 28 11:25:19 2015 type=SYSCALL msg=audit(1443453919.191:66162): arch=c000003e syscall=50 success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7fc025456230 items=0 ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453919.191:66162): avc: denied { listen } for pid=10084 comm="java" laddr=::ffff:127.0.0.1 lport=46017 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket ---- time->Mon Sep 28 11:25:44 2015 type=SYSCALL msg=audit(1443453944.123:66165): arch=c000003e syscall=42 success=no exit=-115 a0=3c a1=7ffe641dece0 a2=10 a3=bf items=0 ppid=1622 pid=9990 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1443453944.123:66165): avc: denied { name_connect } for pid=9990 comm="/usr/sbin/httpd" dest=9999 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
On 09/28/2015 05:48 PM, Matthew Saltzman wrote:
On Wed, 2015-09-23 at 09:13 +0200, Miroslav Grepl wrote:
On 09/22/2015 08:37 PM, Matthew Saltzman wrote:
On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
On 22/09/15 18:50, Matthew Saltzman wrote:
for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
Probably not the best location for a pid file. I'd suspect that write access to anything under /var/www is disallowed. Can you not move it to /var/run?
*I* can't. It's hard-coded in a compiled executable. I could make that recommendation to the Subgit folks. I suspect they may do that because they know for sure where the directory they are executing from is, but they may not feel they have a guarantee that /var/run is available in every *nix distribution.
We can label /var/www/svn/FlopC++/subgit for example if it is owned by a package.
The main gole is we need to get AVCs. Try to re-test it and run
#ausearch -m avc,user_avc -ts recent
On the other hand, the Subversion repositories themselves are in /var/www/svn and interacting with them works fine (including writes), modulo this issue.
Trevor
OK Here's a list of AVCs. I tried to cull the ones that seemed obviously not related (because they referred to an unrelated file or command) but there may be some extraneous ones left. These are from two commits. Interestingly, even though SELInux is in permissive mode, the commits failed with the same timeout message.
Also, how do I turn the don't-audit rules back on?
# ausearch -m avc,user_avc -ts recent
time->Mon Sep 28 11:20:25 2015 type=SYSCALL msg=audit(1443453625.601:66129): arch=c000003e syscall=42 success=no exit=-115 a0=31 a1=7ffe641dece0 a2=10 a3=bf items=0 ppid=1622 pid=9033 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1443453625.601:66129): avc: denied { name_connect } for pid=9033 comm="/usr/sbin/httpd" dest=9999 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
time->Mon Sep 28 11:22:55 2015 type=SYSCALL msg=audit(1443453775.469:66135): arch=c000003e syscall=59 success=yes exit=0 a0=7fe700a14de8 a1=7fe700a14e30 a2=7ffe641e0bd0 a3=7ffe641e0930 items=0 ppid=9185 pid=9631 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="pre-commit" exe="/usr/bin/bash" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453775.469:66135): avc: denied { noatsecure } for pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process type=AVC msg=audit(1443453775.469:66135): avc: denied { siginh } for pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process type=AVC msg=audit(1443453775.469:66135): avc: denied { rlimitinh } for pid=9631 comm="pre-commit" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
time->Mon Sep 28 11:22:57 2015 type=SYSCALL msg=audit(1443453777.094:66136): arch=c000003e syscall=9 success=yes exit=140281970163712 a0=7f95f1000000 a1=270000 a2=7 a3=32 items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453777.094:66136): avc: denied { execmem } for pid=9661 comm="java" scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
time->Mon Sep 28 11:23:15 2015 type=SYSCALL msg=audit(1443453795.817:66138): arch=c000003e syscall=2 success=yes exit=13 a0=7f95ce143344 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453795.817:66138): avc: denied { open } for pid=9661 comm="java" path="/proc/9658/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1443453795.817:66138): avc: denied { read } for pid=9661 comm="java" name="if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
time->Mon Sep 28 11:23:15 2015 type=SYSCALL msg=audit(1443453795.817:66139): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7f95fd98bc50 a2=7f95fd98bc50 a3=0 items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453795.817:66139): avc: denied { getattr } for pid=9661 comm="java" path="/proc/9658/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
time->Mon Sep 28 11:23:19 2015 type=SYSCALL msg=audit(1443453799.038:66141): arch=c000003e syscall=50 success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7f95fd98e230 items=0 ppid=1 pid=9661 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453799.038:66141): avc: denied { listen } for pid=9661 comm="java" laddr=::ffff:127.0.0.1 lport=43865 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
time->Mon Sep 28 11:25:17 2015 type=SYSCALL msg=audit(1443453917.466:66160): arch=c000003e syscall=2 success=yes exit=13 a0=7fbff9c58344 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453917.466:66160): avc: denied { open } for pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file type=AVC msg=audit(1443453917.466:66160): avc: denied { read } for pid=10084 comm="java" name="if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
time->Mon Sep 28 11:25:17 2015 type=SYSCALL msg=audit(1443453917.466:66161): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fc025453c50 a2=7fc025453c50 a3=0 items=0 ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453917.466:66161): avc: denied { getattr } for pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
time->Mon Sep 28 11:25:19 2015 type=SYSCALL msg=audit(1443453919.191:66162): arch=c000003e syscall=50 success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7fc025456230 items=0 ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453919.191:66162): avc: denied { listen } for pid=10084 comm="java" laddr=::ffff:127.0.0.1 lport=46017 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
time->Mon Sep 28 11:25:44 2015 type=SYSCALL msg=audit(1443453944.123:66165): arch=c000003e syscall=42 success=no exit=-115 a0=3c a1=7ffe641dece0 a2=10 a3=bf items=0 ppid=1622 pid=9990 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="/usr/sbin/httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1443453944.123:66165): avc: denied { name_connect } for pid=9990 comm="/usr/sbin/httpd" dest=9999 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:jboss_management_port_t:s0 tclass=tcp_socket
Ok some of these AVCs can be allowed by booleans.
httpd_use_execmem and httpd_can_network_connect.
You can check it using audit2allow on these AVCs.
For
time->Mon Sep 28 11:25:17 2015 type=SYSCALL msg=audit(1443453917.466:66161): arch=c000003e syscall=5 success=yes exit=0 a0=d a1=7fc025453c50 a2=7fc025453c50 a3=0 items=0 ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453917.466:66161): avc: denied { getattr } for pid=10084 comm="java" path="/proc/10083/net/if_inet6" dev="proc" ino=4026532220 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
time->Mon Sep 28 11:25:19 2015 type=SYSCALL msg=audit(1443453919.191:66162): arch=c000003e syscall=50 success=yes exit=0 a0=f a1=32 a2=7ffffffe a3=7fc025456230 items=0 ppid=1 pid=10084 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="java" exe="/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.85-2.6.1.2.el7_1.x86_64/jre -abrt/bin/java" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC msg=audit(1443453919.191:66162): avc: denied { listen } for pid=10084 comm="java" laddr=::ffff:127.0.0.1 lport=46017 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=tcp_socket
I would open a new bug against selinux-policy component. It looks like something what we could allow by a boolean.
On Wed, 2015-09-30 at 10:34 +0200, Miroslav Grepl wrote:
On 09/28/2015 05:48 PM, Matthew Saltzman wrote:
On Wed, 2015-09-23 at 09:13 +0200, Miroslav Grepl wrote:
On 09/22/2015 08:37 PM, Matthew Saltzman wrote:
On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
On 22/09/15 18:50, Matthew Saltzman wrote:
for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
Probably not the best location for a pid file. I'd suspect that write access to anything under /var/www is disallowed. Can you not move it to /var/run?
*I* can't. It's hard-coded in a compiled executable. I could make that recommendation to the Subgit folks. I suspect they may do that because they know for sure where the directory they are executing from is, but they may not feel they have a guarantee that /var/run is available in every *nix distribution.
We can label /var/www/svn/FlopC++/subgit for example if it is owned by a package.
The main gole is we need to get AVCs. Try to re-test it and run
#ausearch -m avc,user_avc -ts recent
On the other hand, the Subversion repositories themselves are in /var/www/svn and interacting with them works fine (including writes), modulo this issue.
Trevor
OK Here's a list of AVCs. I tried to cull the ones that seemed obviously not related (because they referred to an unrelated file or command) but there may be some extraneous ones left. These are from two commits. Interestingly, even though SELInux is in permissive mode, the commits failed with the same timeout message.
[AVCs deleted]
Ok some of these AVCs can be allowed by booleans.
httpd_use_execmem and httpd_can_network_connect.
You can check it using audit2allow on these AVCs.
For
[more AVCs deleted]
I would open a new bug against selinux-policy component. It looks like something what we could allow by a boolean.
I think I got it working with
module subgit-policy 1.0;
require { type httpd_sys_script_t; type httpd_sys_rw_content_t; type proc_net_t; class process execmem; class tcp_socket { accept listen }; class file { read execute open getattr }; }
#============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_rw_content_t:file execute; allow httpd_sys_script_t proc_net_t:file { read getattr open };
#!!!! This avc can be allowed using the boolean 'httpd_execmem' allow httpd_sys_script_t self:process execmem;
#!!!! This avc can be allowed using one of the these booleans: # nis_enabled, httpd_can_network_connect allow httpd_sys_script_t self:tcp_socket { accept listen };
and
module pre-commit-policy 1.0;
require { type ephemeral_port_t; type httpd_t; type httpd_sys_script_t; class process { siginh noatsecure rlimitinh }; class tcp_socket name_connect; }
#============= httpd_sys_script_t ==============
#!!!! This avc can be allowed using one of the these booleans: # nis_enabled, httpd_can_network_connect allow httpd_sys_script_t ephemeral_port_t:tcp_socket name_connect;
#============= httpd_t ============== allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };
This is a CentOS system. Where is the best place to file the bug?
Thanks.
On 10/02/2015 04:26 AM, Matthew Saltzman wrote:
On Wed, 2015-09-30 at 10:34 +0200, Miroslav Grepl wrote:
On 09/28/2015 05:48 PM, Matthew Saltzman wrote:
On Wed, 2015-09-23 at 09:13 +0200, Miroslav Grepl wrote:
On 09/22/2015 08:37 PM, Matthew Saltzman wrote:
On Tue, 2015-09-22 at 19:21 +0100, Trevor Hemsley wrote:
On 22/09/15 18:50, Matthew Saltzman wrote: > for pid file '/var/www/svn/FlopC++/subgit/daemon.pid
Probably not the best location for a pid file. I'd suspect that write access to anything under /var/www is disallowed. Can you not move it to /var/run?
*I* can't. It's hard-coded in a compiled executable. I could make that recommendation to the Subgit folks. I suspect they may do that because they know for sure where the directory they are executing from is, but they may not feel they have a guarantee that /var/run is available in every *nix distribution.
We can label /var/www/svn/FlopC++/subgit for example if it is owned by a package.
The main gole is we need to get AVCs. Try to re-test it and run
#ausearch -m avc,user_avc -ts recent
On the other hand, the Subversion repositories themselves are in /var/www/svn and interacting with them works fine (including writes), modulo this issue.
Trevor
OK Here's a list of AVCs. I tried to cull the ones that seemed obviously not related (because they referred to an unrelated file or command) but there may be some extraneous ones left. These are from two commits. Interestingly, even though SELInux is in permissive mode, the commits failed with the same timeout message.
[AVCs deleted]
Ok some of these AVCs can be allowed by booleans.
httpd_use_execmem and httpd_can_network_connect.
You can check it using audit2allow on these AVCs.
For
[more AVCs deleted]
I would open a new bug against selinux-policy component. It looks like something what we could allow by a boolean.
I think I got it working with
module subgit-policy 1.0; require { type httpd_sys_script_t; type httpd_sys_rw_content_t; type proc_net_t; class process execmem; class tcp_socket { accept listen }; class file { read execute open getattr }; } #============= httpd_sys_script_t ============== allow httpd_sys_script_t httpd_sys_rw_content_t:file execute;
You will need to add labeling for a file which is executed and labeled as httpd_sys_rw_content_t.
# chcon -t httpd_sys_script_exec_t PATHO/executable_file
for testing.
allow httpd_sys_script_t proc_net_t:file { read getattr open };
Ok, this one should be a part of httpd_can_network_connect boolean.
#!!!! This avc can be allowed using the boolean 'httpd_execmem' allow httpd_sys_script_t self:process execmem; #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, httpd_can_network_connect allow httpd_sys_script_t self:tcp_socket { accept listen };
and
module pre-commit-policy 1.0; require { type ephemeral_port_t; type httpd_t; type httpd_sys_script_t; class process { siginh noatsecure rlimitinh }; class tcp_socket name_connect; } #============= httpd_sys_script_t ============== #!!!! This avc can be allowed using one of the these booleans: # nis_enabled, httpd_can_network_connect allow httpd_sys_script_t ephemeral_port_t:tcp_socket name_connect; #============= httpd_t ============== allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };
This is a CentOS system. Where is the best place to file the bug?
Thanks.
selinux@lists.fedoraproject.org