After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 750464 - build.gnome.org selinux labeling issues
build.gnome.org selinux labeling issues
Status: RESOLVED FIXED
Product: sysadmin
Classification: Infrastructure
Component: Other
unspecified
Other Linux
: Normal normal
: ---
Assigned To: GNOME Sysadmins
GNOME Sysadmins
Depends on:
Blocks:
 
 
Reported: 2015-06-05 17:44 UTC by Colin Walters
Modified: 2015-06-08 16:15 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Colin Walters 2015-06-05 17:44:09 UTC 
The website is currently broken because httpd can't read var_t I think:

http://build.gnome.org/
Comment 1 Andrea Veri 2015-06-06 14:34:21 UTC 
Fixed the context on:

 1. /srv/ostree/public_html
 2. /srv/ostree/src/gnome-continuous/extras/build.gnome.org 

Seems SELinux is complaining about more files though which are hosted on directories that are generated daily so having those in Puppet won't make much sense. Do you think we can automate the labeling of these files directly at the end of the build process? (the relevant binary file should have a setuid on root already so ideally we can include a matching rule for httpd_sys_content_t for all files ending with .json, .png and .qcow2.gz, which are the majority of hits)

An excerpt of audit.log:

type=AVC msg=audit(1433601104.588:224112): avc:  denied  { getattr } for  pid=12321 comm="httpd" path="/srv/ostree/ostbuild/work/builds/2015/03/10/14/resolve/meta.json" dev="dm-2" ino=48590874 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1433601093.518:224097): avc:  denied  { getattr } for  pid=7567 comm="httpd" path="/srv/ostree/ostbuild/work/images/z/20150602.36/gnome-continuous-x86_64-devel-debug-20150602.36.qcow2.gz" dev="dm-2" ino=68296508 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

type=AVC msg=audit(1433600852.354:223953): avc:  denied  { getattr } for  pid=9267 comm="httpd" path="/srv/ostree/ostbuild/work/builds/2015/06/02/36/memusage/work-gnome-continuous-x86_64-devel-debug/screenshot-1.png" dev="dm-2" ino=68289050 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
Comment 2 Colin Walters 2015-06-06 20:51:00 UTC 
I still don't see any content on http://build.gnome.org

As far as the label of content here...this came up before but I'm not finding the bug.  I know we had issues with libguestfs spawning qemu which is trying to read/write the same file label that we're trying to serve over static http.

But I changed continuous to write the qemu images to /tmp to fix this.

Can we try just labeling everything httpd_sys_content_t?  Clearly var_t is wrong.

What did we have as labels on RHEL6, do you know?
Comment 3 Andrea Veri 2015-06-08 16:15:00 UTC 
I honestly don't remember what labels we had on RHEL 6, did we have SELinux set as enforcing at all with the previous install?

Anyway https://infrastructure.gnome.org/browse/puppet/commit/?id=12364b1cdfebbdf43a511e463c7ad8771a569fc5 seems to have helped and audit.log seems to be quiet now. New files should inherit the context from their parent directories and in case that won't happen Puppet will run and have it fixed. The new contexts should also survive a restorecon or .autorelabel as the custom contexts have been made permanent.