[
https://issues.apache.org/jira/browse/AIRAVATA-3291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17025267#comment-17025267
]
Marcus Christie commented on AIRAVATA-3291:
-------------------------------------------
{noformat}
ausearch -c 'httpd' --raw | audit2allow -m my-httpd > my-httpd.te
{noformat}
gives
{noformat}
module my-httpd 1.0;
require {
type httpd_t;
type user_home_t;
type httpd_sys_rw_content_t;
type user_home_dir_t;
class dir read;
class file { relabelfrom write };
}
#============= httpd_t ==============
allow httpd_t httpd_sys_rw_content_t:file relabelfrom;
#!!!! This avc can be allowed using the boolean 'httpd_read_user_content'
allow httpd_t user_home_dir_t:dir read;
allow httpd_t user_home_t:file write;
{noformat}
Only the {{allow httpd_t httpd_sys_rw_content_t:file relabelfrom;}} is
relevant. Looking into how to apply this.
> Wagtail: large image uploads fail with SELinux relabelfrom error
> ----------------------------------------------------------------
>
> Key: AIRAVATA-3291
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3291
> Project: Airavata
> Issue Type: Bug
> Components: Django Portal
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> {noformat}
> Jan 28 10:12:27 gridfarm004 setroubleshoot: SELinux is preventing httpd from
> relabelfrom access on the file QuSP_Home_Converted.png. For complete SELinux
> messages run: sealert -l 7097f275-0c78-47c7-bc55-be30bca3f3a8
> Jan 28 10:12:27 gridfarm004 python: SELinux is preventing httpd from
> relabelfrom access on the file QuSP_Home_Converted.png.#012#012***** Plugin
> catchall (100. confidence) suggests **************************#012#012If
> you believe that httpd should be allowed relabelfrom access on the
> QuSP_Home_Converted.png file by default.#012Then you should report this as a
> bug.#012You can generate a local policy module to allow this
> access.#012Do#012allow this access for now by executing:#012# ausearch -c
> 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012
> {noformat}
> {noformat}
> [root@gridfarm004 ~]# sealert -l 7097f275-0c78-47c7-bc55-be30bca3f3a8
> SELinux is preventing httpd from relabelfrom access on the file
> QuSP_Home_Converted.png.
> ***** Plugin catchall (100. confidence) suggests **************************
> If you believe that httpd should be allowed relabelfrom access on the
> QuSP_Home_Converted.png file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
> # semodule -i my-httpd.pp
> Additional Information:
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_u:object_r:httpd_sys_rw_content_t:s0
> Target Objects QuSP_Home_Converted.png [ file ]
> Source httpd
> Source Path httpd
> Port <Unknown>
> Host gridfarm004.ucs.indiana.edu
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name gridfarm004.ucs.indiana.edu
> Platform Linux gridfarm004.ucs.indiana.edu
> 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18
> 15:06:45 UTC 2019 x86_64 x86_64
> Alert Count 28
> First Seen 2019-12-07 12:53:56 EST
> Last Seen 2020-01-28 10:12:22 EST
> Local ID 7097f275-0c78-47c7-bc55-be30bca3f3a8
> Raw Audit Messages
> type=AVC msg=audit(1580224342.756:7108484): avc: denied { relabelfrom } for
> pid=9646 comm="httpd" name="QuSP_Home_Converted.png" dev="dm-1" ino=71079407
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
> Hash: httpd,httpd_t,httpd_sys_rw_content_t,file,relabelfrom
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
