fedora-selinux March 2010 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: F12: /var/run/utmp

Re: F12: /var/run/utmp

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Tue Mar 30 2010 - 16:10:41 GMT
To: "Daniel B. Thurman" <dant@cdkkt.com>

On 03/30/2010 12:00 PM, Daniel B. Thurman wrote:
> On 03/29/2010 05:59 AM, Daniel J Walsh wrote:
>
>> On 03/28/2010 03:16 PM, Daniel B. Thurman wrote:
>>
>>> I am not sure what to make of this, so how can I fix it:
>>>
>>> ===================================
>>> Summary:
>>>
>>> SELinux is preventing /usr/bin/uptime from using potentially mislabeled
>>> files
>>> /var/run/utmp.
>>>
>>> Detailed Description:
>>>
>>> [SELinux is in permissive mode. This access was not denied.]
>>>
>>> SELinux has denied the uptime access to potentially mislabeled files
>>> /var/run/utmp. This means that SELinux will not allow httpd to use these
>>> files.
>>> If httpd should be allowed this access to these files you should change
>>> the file
>>> context to one of the following types, abrt_helper_exec_t,
>>> httpd_helper_exec_t,
>>> dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t,
>>> httpd_nagios_htaccess_t,
>>> textrel_shlib_t, rpm_script_tmp_t, samba_var_t, ld_so_t, net_conf_t,
>>> public_content_t, sysctl_kernel_t, httpd_modules_t, rpm_tmp_t,
>>> httpd_suexec_exec_t, application_exec_type, httpd_nutups_cgi_htaccess_t,
>>> mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t,
>>> httpd_munin_htaccess_t, etc_runtime_t, mailman_archive_t,
>>> httpd_var_lib_t,
>>> httpd_var_run_t, bin_t, cert_t, ld_so_cache_t, httpd_t,
>>> fail2ban_var_lib_t,
>>> lib_t, httpd_awstats_htaccess_t, httpd_user_htaccess_t, usr_t,
>>> chroot_exec_t,
>>> httpd_rotatelogs_exec_t, public_content_rw_t, httpd_bugzilla_htaccess_t,
>>> httpd_cobbler_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t,
>>> mailman_data_t, httpd_keytab_t, httpd_apcupsd_cgi_htaccess_t,
>>> system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t,
>>> httpd_sys_htaccess_t, squirrelmail_spool_t, cluster_conf_t,
>>> httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t,
>>> httpd_log_t, logfile, httpd_rw_content, krb5_conf_t, locale_t,
>>> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
>>> proc_t, src_t,
>>> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
>>> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
>>> udev_tbl_t,
>>> abrt_t, httpd_tmp_t, lib_t, shell_exec_t,
>>> httpd_w3c_validator_htaccess_t,
>>> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
>>> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
>>> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
>>> httpd_nagios_content_t,
>>> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
>>> httpd_sys_content_rw_t,
>>> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
>>> httpd_git_content_ra_t, httpd_git_content_rw_t,
>>> httpd_cobbler_script_exec_t,
>>> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
>>> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
>>> httpd_squid_content_rw_t, httpd_prewikka_content_t,
>>> httpd_munin_content_t,
>>> httpd_squid_content_t, httpd_awstats_script_exec_t,
>>> httpd_apcupsd_cgi_content_t,
>>> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
>>> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
>>> httpd_cvs_content_t,
>>> httpd_sys_content_t, httpd_sys_content_t, root_t,
>>> httpd_munin_script_exec_t,
>>> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
>>> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
>>> httpd_bugzilla_content_t,
>>> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
>>> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
>>> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
>>> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
>>> httpd_awstats_content_t, httpd_sys_script_exec_t,
>>> httpd_user_content_ra_t,
>>> httpd_user_content_rw_t, httpd_git_script_exec_t,
>>> httpd_cobbler_content_ra_t,
>>> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
>>> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
>>> httpd_munin_content_rw_t. Many third party apps install html files in
>>> directories that SELinux policy cannot predict. These directories
>>> have to be
>>> labeled with a file context which httpd can access.
>>>
>>> Allowing Access:
>>>
>>> If you want to change the file context of /var/run/utmp so that the
>>> httpd daemon
>>> can access it, you need to execute it using semanage fcontext -a -t
>>> FILE_TYPE
>>> '/var/run/utmp'.
>>> where FILE_TYPE is one of the following: abrt_helper_exec_t,
>>> httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t,
>>> httpd_php_exec_t,
>>> httpd_nagios_htaccess_t, textrel_shlib_t, rpm_script_tmp_t, samba_var_t,
>>> ld_so_t, net_conf_t, public_content_t, sysctl_kernel_t, httpd_modules_t,
>>> rpm_tmp_t, httpd_suexec_exec_t, application_exec_type,
>>> httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t,
>>> httpd_squid_htaccess_t, httpd_munin_htaccess_t, etc_runtime_t,
>>> mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, bin_t, cert_t,
>>> ld_so_cache_t, httpd_t, fail2ban_var_lib_t, lib_t,
>>> httpd_awstats_htaccess_t,
>>> httpd_user_htaccess_t, usr_t, chroot_exec_t, httpd_rotatelogs_exec_t,
>>> public_content_rw_t, httpd_bugzilla_htaccess_t,
>>> httpd_cobbler_htaccess_t,
>>> nagios_etc_t, nagios_log_t, sssd_public_t, mailman_data_t,
>>> httpd_keytab_t,
>>> httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
>>> httpd_cvs_htaccess_t,
>>> httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t,
>>> cluster_conf_t, httpd_prewikka_htaccess_t, fonts_cache_t, httpd_exec_t,
>>> httpd_lock_t, httpd_log_t, logfile, httpd_rw_content, krb5_conf_t,
>>> locale_t,
>>> httpd_unconfined_script_exec_t, etc_t, fonts_t, httpd_ro_content,
>>> proc_t, src_t,
>>> sysfs_t, calamaris_www_t, krb5_keytab_t, httpd_cache_t, httpd_tmpfs_t,
>>> iso9660_t, httpd_config_t, var_lib_t, abrt_var_run_t, configfile,
>>> udev_tbl_t,
>>> abrt_t, httpd_tmp_t, lib_t, shell_exec_t,
>>> httpd_w3c_validator_htaccess_t,
>>> mysqld_etc_t, cvs_data_t, sysctl_crypto_t, httpd_bugzilla_content_ra_t,
>>> httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t,
>>> httpd_nagios_content_ra_t, httpd_nagios_content_rw_t,
>>> httpd_nagios_content_t,
>>> httpd_w3c_validator_content_t, httpd_sys_content_ra_t,
>>> httpd_sys_content_rw_t,
>>> httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t,
>>> httpd_git_content_ra_t, httpd_git_content_rw_t,
>>> httpd_cobbler_script_exec_t,
>>> httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t,
>>> httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t,
>>> httpd_squid_content_rw_t, httpd_prewikka_content_t,
>>> httpd_munin_content_t,
>>> httpd_squid_content_t, httpd_awstats_script_exec_t,
>>> httpd_apcupsd_cgi_content_t,
>>> httpd_cobbler_content_t, httpd_apcupsd_cgi_content_ra_t,
>>> httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t,
>>> httpd_cvs_content_t,
>>> httpd_sys_content_t, httpd_sys_content_t, root_t,
>>> httpd_munin_script_exec_t,
>>> httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t,
>>> httpd_prewikka_content_rw_t, httpd_user_script_exec_t,
>>> httpd_bugzilla_content_t,
>>> httpd_awstats_content_ra_t, httpd_awstats_content_rw_t,
>>> httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t,
>>> httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t,
>>> httpd_w3c_validator_content_rw_t, httpd_nutups_cgi_content_t,
>>> httpd_awstats_content_t, httpd_sys_script_exec_t,
>>> httpd_user_content_ra_t,
>>> httpd_user_content_rw_t, httpd_git_script_exec_t,
>>> httpd_cobbler_content_ra_t,
>>> httpd_cobbler_content_rw_t, httpdcontent, httpd_cvs_script_exec_t,
>>> httpd_prewikka_script_exec_t, httpd_munin_content_ra_t,
>>> httpd_munin_content_rw_t. You can look at the httpd_selinux man page for
>>> additional information.
>>>
>>> Additional Information:
>>>
>>> Source Context system_u:system_r:httpd_t:s0
>>> Target Context system_u:object_r:initrc_var_run_t:s0
>>> Target Objects /var/run/utmp [ file ]
>>> Source uptime
>>> Source Path /usr/bin/uptime
>>> Port<Unknown>
>>> Host host.domain.com
>>> Source RPM Packages procps-3.2.8-3.fc12
>>> Target RPM Packages initscripts-9.02.1-1
>>> Policy RPM selinux-policy-3.6.32-103.fc12
>>> Selinux Enabled True
>>> Policy Type targeted
>>> Enforcing Mode Permissive
>>> Plugin Name httpd_bad_labels
>>> Host Name host.domain.com
>>> Platform Linux host.domain.com
>>> 2.6.32.9-70.fc12.i686 #1 SMP
>>> Wed Mar 3 05:14:32 UTC 2010 i686 i686
>>> Alert Count 2
>>> First Seen Sun 28 Mar 2010 12:04:45 PM PDT
>>> Last Seen Sun 28 Mar 2010 12:09:52 PM PDT
>>> Local ID 5f9c855c-31e3-42c9-83fd-9c9b6262cd00
>>> Line Numbers
>>>
>>> Raw Audit Messages
>>>
>>> node=host.domain.com type=AVC msg=audit(1269803392.422:30): avc:
>>> denied { open } for pid=4900 comm="uptime" name="utmp" dev=sdb10
>>> ino=206 scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file
>>>
>>> node=host.domain.com type=SYSCALL msg=audit(1269803392.422:30):
>>> arch=40000003 syscall=5 success=yes exit=4 a0=3f5cb5 a1=88000 a2=430680
>>> a3=3f5cbb items=0 ppid=2613 pid=4900 auid=4294967295 uid=48 gid=489
>>> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
>>> ses=4294967295 comm="uptime" exe="/usr/bin/uptime"
>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>>>
>>>
>> If you want to allow apache to read the utmp file, just add the allow
>> rules.
>>
>> # grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpd
>> # semodule -i myhttpd.pp
>>
>> You might have to do this a couple of times. Allowing this means a
>> compromised system would be able to see the users that have logged
>> into a system.
>>
>> You can debate if this is worth preventing, but we do not want to
>> allow all http servers the ability to read this file.
>>
>>
>>
> Hmm... seems like there is no way to get around this - is there
> a reason why httpd is attempting to access this in the first place,
> if so, why or why isn't this being removed or better yet, can access
> be disabled via some httpd option?
>
>
It is the uptime command that is reading utmp

man uptime
...
FILES
        /var/run/utmp information about who is currently logged on

> I have applied the above policy, and is there a way to remove it
> later? I also noticed when applying the policy, the following
> appears in /var/log/messages:
>
>
semodule -r myhttp

Will remove a module named myhttp
> Mar 30 08:53:09 host dbus: avc: received policyload notice (seqno=2)
> Mar 30 08:53:09 host dbus: Can't send to audit system: USER_AVC avc:
> received policyload notice (seqno=2)#012: exe="?" sauid=81 hostname=?
> addr=? terminal=?
> Mar 30 08:53:11 host dbus: Reloaded configuration
>
> Still getting dbus errors?
>
>
This is a dbus bug, being unable to send and audit message. It can be
safely be ignored. Or open another bug with dbus.
> It also happens when I use setenforce 0 or 1
>
> Keep in mind that I have zoneminder installed but I am not
> sure that this is the cause of the problem since it is not clear
> what program is actually invoking the /usr/bin/uptime binary.
>
> Thanks-
> Dan
>
>
>

-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux