[
https://issues.apache.org/jira/browse/AIRAVATA-3291?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17025221#comment-17025221
]
Marcus Christie commented on AIRAVATA-3291:
-------------------------------------------
This is similar to AIRAVATA-2691 but that was for gateway user storage file
uploads. That was fixed by changing the temporary directory to be inside the
gateway user data directory which has the correct SELinux permissions. Possibly
media uploads aren't using that temporary directory?
https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-FILE_UPLOAD_TEMP_DIR
> Wagtail: large image uploads fail with SELinux relabelfrom error
> ----------------------------------------------------------------
>
> Key: AIRAVATA-3291
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3291
> Project: Airavata
> Issue Type: Bug
> Components: Django Portal
> Reporter: Marcus Christie
> Assignee: Marcus Christie
> Priority: Major
>
> {noformat}
> Jan 28 10:12:27 gridfarm004 setroubleshoot: SELinux is preventing httpd from
> relabelfrom access on the file QuSP_Home_Converted.png. For complete SELinux
> messages run: sealert -l 7097f275-0c78-47c7-bc55-be30bca3f3a8
> Jan 28 10:12:27 gridfarm004 python: SELinux is preventing httpd from
> relabelfrom access on the file QuSP_Home_Converted.png.#012#012***** Plugin
> catchall (100. confidence) suggests **************************#012#012If
> you believe that httpd should be allowed relabelfrom access on the
> QuSP_Home_Converted.png file by default.#012Then you should report this as a
> bug.#012You can generate a local policy module to allow this
> access.#012Do#012allow this access for now by executing:#012# ausearch -c
> 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012
> {noformat}
> {noformat}
> [root@gridfarm004 ~]# sealert -l 7097f275-0c78-47c7-bc55-be30bca3f3a8
> SELinux is preventing httpd from relabelfrom access on the file
> QuSP_Home_Converted.png.
> ***** Plugin catchall (100. confidence) suggests **************************
> If you believe that httpd should be allowed relabelfrom access on the
> QuSP_Home_Converted.png file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
> # semodule -i my-httpd.pp
> Additional Information:
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_u:object_r:httpd_sys_rw_content_t:s0
> Target Objects QuSP_Home_Converted.png [ file ]
> Source httpd
> Source Path httpd
> Port <Unknown>
> Host gridfarm004.ucs.indiana.edu
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-252.el7_7.6.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name gridfarm004.ucs.indiana.edu
> Platform Linux gridfarm004.ucs.indiana.edu
> 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18
> 15:06:45 UTC 2019 x86_64 x86_64
> Alert Count 28
> First Seen 2019-12-07 12:53:56 EST
> Last Seen 2020-01-28 10:12:22 EST
> Local ID 7097f275-0c78-47c7-bc55-be30bca3f3a8
> Raw Audit Messages
> type=AVC msg=audit(1580224342.756:7108484): avc: denied { relabelfrom } for
> pid=9646 comm="httpd" name="QuSP_Home_Converted.png" dev="dm-1" ino=71079407
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file permissive=0
> Hash: httpd,httpd_t,httpd_sys_rw_content_t,file,relabelfrom
> {noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
