airavata-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marcus Christie (Jira)" <j...@apache.org>
Subject [jira] [Commented] (AIRAVATA-3291) Wagtail: large image uploads fail with SELinux relabelfrom error
Date Tue, 28 Jan 2020 16:32:00 GMT

    [ https://issues.apache.org/jira/browse/AIRAVATA-3291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17025267#comment-17025267
] 

Marcus Christie commented on AIRAVATA-3291:
-------------------------------------------

{noformat}
ausearch -c 'httpd' --raw | audit2allow -m my-httpd > my-httpd.te
{noformat}

gives
{noformat}
module my-httpd 1.0;

require {
	type httpd_t;
	type user_home_t;
	type httpd_sys_rw_content_t;
	type user_home_dir_t;
	class dir read;
	class file { relabelfrom write };
}

#============= httpd_t ==============
allow httpd_t httpd_sys_rw_content_t:file relabelfrom;

#!!!! This avc can be allowed using the boolean 'httpd_read_user_content'
allow httpd_t user_home_dir_t:dir read;
allow httpd_t user_home_t:file write;
{noformat}

Only the {{allow httpd_t httpd_sys_rw_content_t:file relabelfrom;}} is relevant. Looking into
how to apply this.

> Wagtail: large image uploads fail with SELinux relabelfrom error
> ----------------------------------------------------------------
>
>                 Key: AIRAVATA-3291
>                 URL: https://issues.apache.org/jira/browse/AIRAVATA-3291
>             Project: Airavata
>          Issue Type: Bug
>          Components: Django Portal
>            Reporter: Marcus Christie
>            Assignee: Marcus Christie
>            Priority: Major
>
> {noformat}
> Jan 28 10:12:27 gridfarm004 setroubleshoot: SELinux is preventing httpd from relabelfrom
access on the file QuSP_Home_Converted.png. For complete SELinux messages run: sealert -l
7097f275-0c78-47c7-bc55-be30bca3f3a8
> Jan 28 10:12:27 gridfarm004 python: SELinux is preventing httpd from relabelfrom access
on the file QuSP_Home_Converted.png.#012#012*****  Plugin catchall (100. confidence) suggests
  **************************#012#012If you believe that httpd should be allowed relabelfrom
access on the QuSP_Home_Converted.png file by default.#012Then you should report this as a
bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access
for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule
-i my-httpd.pp#012
> {noformat}
> {noformat}
> [root@gridfarm004 ~]# sealert -l 7097f275-0c78-47c7-bc55-be30bca3f3a8
> SELinux is preventing httpd from relabelfrom access on the file QuSP_Home_Converted.png.
> *****  Plugin catchall (100. confidence) suggests   **************************
> If you believe that httpd should be allowed relabelfrom access on the QuSP_Home_Converted.png
file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
> # semodule -i my-httpd.pp
> Additional Information:
> Source Context                system_u:system_r:httpd_t:s0
> Target Context                system_u:object_r:httpd_sys_rw_content_t:s0
> Target Objects                QuSP_Home_Converted.png [ file ]
> Source                        httpd
> Source Path                   httpd
> Port                          <Unknown>
> Host                          gridfarm004.ucs.indiana.edu
> Source RPM Packages           
> Target RPM Packages           
> Policy RPM                    selinux-policy-3.13.1-252.el7_7.6.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     gridfarm004.ucs.indiana.edu
> Platform                      Linux gridfarm004.ucs.indiana.edu
>                               3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18
>                               15:06:45 UTC 2019 x86_64 x86_64
> Alert Count                   28
> First Seen                    2019-12-07 12:53:56 EST
> Last Seen                     2020-01-28 10:12:22 EST
> Local ID                      7097f275-0c78-47c7-bc55-be30bca3f3a8
> Raw Audit Messages
> type=AVC msg=audit(1580224342.756:7108484): avc:  denied  { relabelfrom } for  pid=9646
comm="httpd" name="QuSP_Home_Converted.png" dev="dm-1" ino=71079407 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
> Hash: httpd,httpd_t,httpd_sys_rw_content_t,file,relabelfrom
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message