Uploaded image for project: 'CernVM'
  1. CernVM
  2. CVM-1454

SELinux prevents httpd from reading Geo DB

    Details

    • Type: Bug
    • Status: Reopened
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: CernVM-FS 2.4.2
    • Fix Version/s: CernVM-FS 2.6.1
    • Component/s: CVMFS
    • Labels:
      None
    • Environment:

      CentOS Linux release 7.3.1611 (Core)

    • Platforms:
      x86_64-slc6-gcc48-opt
    • Development:

      Description

      It seems that a SELinux rule prevents Geo API from working altogether:

       

      $ curl http://cvmfs-s1-east.computecanada.ca:8000/cvmfs/soft.computecanada.ca/api/v1.0/geo/test.example.org/cvmfs-s1-east.computecanada.ca
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>500 Internal Server Error</title>
      </head><body>
      <h1>Internal Server Error</h1>
      <p>The server encountered an internal error or
      misconfiguration and was unable to complete
      your request.</p>
      <p>Please contact the server administrator at
       root@localhost to inform them of the time this error occurred,
       and the actions you performed just before this error.</p>
      <p>More information about this error may be available
      in the server error log.</p>
      </body></html>

      [Sun Dec 10 03:28:00.712234 2017] [:error] [pid 10219] [remote 128.233.6.140:36] mod_wsgi (pid=10219): Target WSGI script '/var/www/wsgi-scripts/cvmfs-server/cvmfs-api.wsgi' cannot be loaded as Python module.
      [Sun Dec 10 03:28:00.712277 2017] [:error] [pid 10219] [remote 128.233.6.140:36] mod_wsgi (pid=10219): Exception occurred processing WSGI script '/var/www/wsgi-scripts/cvmfs-server/cvmfs-api.wsgi'.
      [Sun Dec 10 03:28:00.712351 2017] [:error] [pid 10219] [remote 128.233.6.140:36] Traceback (most recent call last):
      [Sun Dec 10 03:28:00.712424 2017] [:error] [pid 10219] [remote 128.233.6.140:36]   File "/var/www/wsgi-scripts/cvmfs-server/cvmfs-api.wsgi", line 4, in <module>
      [Sun Dec 10 03:28:00.712525 2017] [:error] [pid 10219] [remote 128.233.6.140:36]     import cvmfs_api
      [Sun Dec 10 03:28:00.712548 2017] [:error] [pid 10219] [remote 128.233.6.140:36]   File "/usr/share/cvmfs-server/webapi/cvmfs_api.py", line 2, in <module>
      [Sun Dec 10 03:28:00.712584 2017] [:error] [pid 10219] [remote 128.233.6.140:36]     import cvmfs_geo
      [Sun Dec 10 03:28:00.712603 2017] [:error] [pid 10219] [remote 128.233.6.140:36]   File "/usr/share/cvmfs-server/webapi/cvmfs_geo.py", line 15, in <module>
      [Sun Dec 10 03:28:00.712636 2017] [:error] [pid 10219] [remote 128.233.6.140:36]     gi = GeoIP.open("/var/lib/cvmfs-server/geo/GeoLiteCity.dat", GeoIP.GEOIP_STANDARD)
      [Sun Dec 10 03:28:00.712686 2017] [:error] [pid 10219] [remote 128.233.6.140:36] error: [Errno 13] Permission denied: '/var/lib/cvmfs-server/geo/GeoLiteCity.dat'
      Error Opening file /var/lib/cvmfs-server/geo/GeoLiteCity.dat

       

      grep AVC  /var/log/audit/audit.log
      type=AVC msg=audit(1513181408.019:930512): avc:  denied  { read } for  pid=10261 comm="httpd" name="GeoLiteCity.dat" dev="vda1" ino=21033411 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
      type=AVC msg=audit(1513181416.154:930513): avc:  denied  { read } for  pid=10235 comm="httpd" name="GeoLiteCity.dat" dev="vda1" ino=21033411 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file
      type=AVC msg=audit(1513181419.038:930514): avc:  denied  { read } for  pid=10261 comm="httpd" name="GeoLiteCity.dat" dev="vda1" ino=21033411 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cron_var_lib_t:s0 tclass=file

      An admin reports that the following commands should fix this:

      sudo semanage fcontext -a -t httpd_sys_content_t /var/lib/cvmfs-server/geo/GeoLiteCity.dat
       
      sudo restorecon -Rv /var/lib/cvmfs-server/geo/

      Should the cvmfs-server RPM be updated to run the SELinux config so that Geo API works out of the box?

        Attachments

          Activity

            People

            • Assignee:
              jblomer Jakob Blomer
              Reporter:
              rptaylor Ryan Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                PlannedEnd:
                PlannedStart: