Attachment 584191 Details for Bug 821286 – full setroubleshoot output

full setroubleshoot output

man2html-setroubleshoot.txt (text/plain), 17.31 KB, created by T.C. Hollingsworth on 2012-05-13 23:29:41 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: T.C. Hollingsworth

Created: 2012-05-13 23:29:41 UTC

Size: 17.31 KB

patch

obsolete

>SELinux is preventing /usr/sbin/httpd from search access on the directory /usr/lib/man2html.
>
>*****  Plugin restorecon (99.5 confidence) suggests  *************************
>
>If you want to fix the label.
>/usr/lib/man2html default label should be lib_t.
>Then you can run restorecon.
>Do
># /sbin/restorecon -v /usr/lib/man2html
>
>*****  Plugin catchall (1.49 confidence) suggests  ***************************
>
>If you believe that httpd should be allowed search access on the man2html directory by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep httpd /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                system_u:object_r:httpd_unconfined_script_exec_t:s
>                              0
>Target Objects                /usr/lib/man2html [ dir ]
>Source                        httpd
>Source Path                   /usr/sbin/httpd
>Port                          <Unknown>
>Host                          invincible.tchol.org
>Source RPM Packages           httpd-2.2.22-4.fc17.x86_64
>Target RPM Packages           man2html-1.6-4.g.fc17.x86_64
>Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     invincible.tchol.org
>Platform                      Linux invincible.tchol.org 3.3.4-5.fc17.x86_64 #1
>                              SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
>Alert Count                   6
>First Seen                    Sun 13 May 2012 03:50:07 PM MST
>Last Seen                     Sun 13 May 2012 04:01:00 PM MST
>Local ID                      384f90a2-8780-4a05-8147-1b3ac31022a6
>
>Raw Audit Messages
>type=AVC msg=audit(1336950060.636:253): avc:  denied  { search } for  pid=7443 comm="httpd" name="man2html" dev="dm-1" ino=800029 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_unconfined_script_exec_t:s0 tclass=dir
>
>
>type=SYSCALL msg=audit(1336950060.636:253): arch=x86_64 syscall=stat success=no exit=EACCES a0=7ff0ecb9aef8 a1=7fff16be7380 a2=7fff16be7380 a3=62696c2f7273752f items=0 ppid=7441 pid=7443 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: httpd,httpd_t,httpd_unconfined_script_exec_t,dir,search
>
>audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
>
>
>audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
>--
>
>SELinux is preventing /usr/bin/whatis from lock access on the file /var/cache/man/local/index.db.
>
>*****  Plugin catchall (100. confidence) suggests  ***************************
>
>If you believe that whatis should be allowed lock access on the index.db file by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep whatis /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                system_u:object_r:man_t:s0
>Target Objects                /var/cache/man/local/index.db [ file ]
>Source                        whatis
>Source Path                   /usr/bin/whatis
>Port                          <Unknown>
>Host                          invincible.tchol.org
>Source RPM Packages           man-db-2.6.0.2-6.fc17.x86_64
>Target RPM Packages
>Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Permissive
>Host Name                     invincible.tchol.org
>Platform                      Linux invincible.tchol.org 3.3.4-5.fc17.x86_64 #1
>                              SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
>Alert Count                   3
>First Seen                    Fri 11 May 2012 04:33:38 PM MST
>Last Seen                     Sun 13 May 2012 03:41:57 PM MST
>Local ID                      a201ed1a-6c23-4bbc-b0a7-87e2a0ecf576
>
>Raw Audit Messages
>type=AVC msg=audit(1336948917.723:130): avc:  denied  { lock } for  pid=7709 comm="whatis" path="/var/cache/man/local/index.db" dev="dm-9" ino=390734 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file
>
>
>type=SYSCALL msg=audit(1336948917.723:130): arch=x86_64 syscall=flock success=yes exit=0 a0=4 a1=5 a2=0 a3=1e items=0 ppid=7705 pid=7709 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=whatis exe=/usr/bin/whatis subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: whatis,httpd_t,man_t,file,lock
>
>audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
>
>
>audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
>--
>
>SELinux is preventing /usr/bin/gzip from read access on the file /var/cache/man/local/index.db.
>
>*****  Plugin catchall (100. confidence) suggests  ***************************
>
>If you believe that gzip should be allowed read access on the index.db file by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep gzip /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                system_u:object_r:man_t:s0
>Target Objects                /var/cache/man/local/index.db [ file ]
>Source                        gzip
>Source Path                   /usr/bin/gzip
>Port                          <Unknown>
>Host                          invincible.tchol.org
>Source RPM Packages           man-db-2.6.0.2-6.fc17.x86_64
>Target RPM Packages
>Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Permissive
>Host Name                     invincible.tchol.org
>Platform                      Linux invincible.tchol.org 3.3.4-5.fc17.x86_64 #1
>                              SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
>Alert Count                   11
>First Seen                    Mon 07 May 2012 02:48:38 PM MST
>Last Seen                     Sun 13 May 2012 03:41:57 PM MST
>Local ID                      61f246b5-5f2f-4a34-b630-5ee9e7e4be5f
>
>Raw Audit Messages
>type=AVC msg=audit(1336948917.722:129): avc:  denied  { read } for  pid=7709 comm="whatis" name="index.db" dev="dm-9" ino=390734 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file
>
>
>type=AVC msg=audit(1336948917.722:129): avc:  denied  { open } for  pid=7709 comm="whatis" name="index.db" dev="dm-9" ino=390734 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file
>
>
>type=SYSCALL msg=audit(1336948917.722:129): arch=x86_64 syscall=open success=yes exit=EINTR a0=f96260 a1=0 a2=0 a3=1e items=0 ppid=7705 pid=7709 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=whatis exe=/usr/bin/whatis subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: gzip,httpd_t,man_t,file,read
>
>audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
>
>
>audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
>--
>
>SELinux is preventing /usr/lib/man2html/cgi-bin/man/man2html from getattr access on the file /var/cache/man/index.db.
>
>*****  Plugin catchall (100. confidence) suggests  ***************************
>
>If you believe that man2html should be allowed getattr access on the index.db file by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep man2html /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                system_u:object_r:man_t:s0
>Target Objects                /var/cache/man/index.db [ file ]
>Source                        man2html
>Source Path                   /usr/lib/man2html/cgi-bin/man/man2html
>Port                          <Unknown>
>Host                          invincible.tchol.org
>Source RPM Packages           man2html-1.6-3.g.fc17.x86_64
>Target RPM Packages
>Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Permissive
>Host Name                     invincible.tchol.org
>Platform                      Linux invincible.tchol.org 3.3.4-5.fc17.x86_64 #1
>                              SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
>Alert Count                   11
>First Seen                    Mon 07 May 2012 02:48:38 PM MST
>Last Seen                     Sun 13 May 2012 03:41:57 PM MST
>Local ID                      56b1fc78-5d7e-4b9f-acd1-22cbde6777df
>
>Raw Audit Messages
>type=AVC msg=audit(1336948917.645:128): avc:  denied  { getattr } for  pid=7705 comm="manwhatis" path="/var/cache/man/index.db" dev="dm-9" ino=390280 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=file
>
>
>type=SYSCALL msg=audit(1336948917.645:128): arch=x86_64 syscall=stat success=yes exit=0 a0=7fff1b87cec0 a1=7fff1b87cc20 a2=7fff1b87cc20 a3=40344e items=0 ppid=7442 pid=7705 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=manwhatis exe=/usr/lib/man2html/cgi-bin/man/manwhatis subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: man2html,httpd_t,man_t,file,getattr
>
>audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
>
>
>audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
>--
>
>SELinux is preventing /usr/lib/man2html/cgi-bin/man/man2html from getattr access on the directory /usr/local/share/man.
>
>*****  Plugin catchall (100. confidence) suggests  ***************************
>
>If you believe that man2html should be allowed getattr access on the man directory by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep man2html /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                system_u:object_r:man_t:s0
>Target Objects                /usr/local/share/man [ dir ]
>Source                        man2html
>Source Path                   /usr/lib/man2html/cgi-bin/man/man2html
>Port                          <Unknown>
>Host                          invincible.tchol.org
>Source RPM Packages           man-db-2.6.0.2-6.fc17.x86_64
>Target RPM Packages           filesystem-3-2.fc17.x86_64
>Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Permissive
>Host Name                     invincible.tchol.org
>Platform                      Linux invincible.tchol.org 3.3.4-5.fc17.x86_64 #1
>                              SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
>Alert Count                   16
>First Seen                    Mon 07 May 2012 02:48:37 PM MST
>Last Seen                     Sun 13 May 2012 03:41:57 PM MST
>Local ID                      da601756-43a3-4dd0-9a23-5cda4c461a0b
>
>Raw Audit Messages
>type=AVC msg=audit(1336948917.642:127): avc:  denied  { getattr } for  pid=7706 comm="manpath" path="/usr/local/share/man" dev="dm-1" ino=170 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
>
>
>type=SYSCALL msg=audit(1336948917.642:127): arch=x86_64 syscall=stat success=yes exit=0 a0=7fff9976e740 a1=7fff9976e870 a2=7fff9976e870 a3=f items=0 ppid=7705 pid=7706 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=manpath exe=/usr/bin/manpath subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: man2html,httpd_t,man_t,dir,getattr
>
>audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
>
>
>audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
>--
>
>SELinux is preventing /usr/lib/man2html/cgi-bin/man/man2html from read access on the directory /usr/share/man/man1.
>
>*****  Plugin catchall (100. confidence) suggests  ***************************
>
>If you believe that man2html should be allowed read access on the man1 directory by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep man2html /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                system_u:object_r:man_t:s0
>Target Objects                /usr/share/man/man1 [ dir ]
>Source                        man2html
>Source Path                   /usr/lib/man2html/cgi-bin/man/man2html
>Port                          <Unknown>
>Host                          invincible.tchol.org
>Source RPM Packages           man2html-1.6-3.g.fc17.x86_64
>Target RPM Packages           filesystem-3-2.fc17.x86_64
>                              npm-1.1.19-1.fc17.noarch google-chrome-
>                              beta-19.0.1084.41-134854.x86_64
>Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Permissive
>Host Name                     invincible.tchol.org
>Platform                      Linux invincible.tchol.org 3.3.4-5.fc17.x86_64 #1
>                              SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
>Alert Count                   6
>First Seen                    Mon 07 May 2012 02:48:37 PM MST
>Last Seen                     Sun 13 May 2012 03:41:45 PM MST
>Local ID                      19d59818-e19e-4c7a-835b-3b92fe8a4909
>
>Raw Audit Messages
>type=AVC msg=audit(1336948905.322:123): avc:  denied  { read } for  pid=7458 comm="man2html" name="man1" dev="dm-1" ino=1062 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
>
>
>type=AVC msg=audit(1336948905.322:123): avc:  denied  { open } for  pid=7458 comm="man2html" name="man1" dev="dm-1" ino=1062 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
>
>
>type=SYSCALL msg=audit(1336948905.322:123): arch=x86_64 syscall=openat success=yes exit=ESRCH a0=ffffffffffffff9c a1=7fffe37410e0 a2=90800 a3=0 items=0 ppid=7444 pid=7458 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=man2html exe=/usr/lib/man2html/cgi-bin/man/man2html subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: man2html,httpd_t,man_t,dir,read
>
>audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
>
>
>audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
>--
>
>SELinux is preventing /usr/lib/man2html/cgi-bin/man/man2html from search access on the directory /usr/local/share/man.
>
>*****  Plugin catchall (100. confidence) suggests  ***************************
>
>If you believe that man2html should be allowed search access on the man directory by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep man2html /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                system_u:object_r:man_t:s0
>Target Objects                /usr/local/share/man [ dir ]
>Source                        man2html
>Source Path                   /usr/lib/man2html/cgi-bin/man/man2html
>Port                          <Unknown>
>Host                          invincible.tchol.org
>Source RPM Packages           man2html-1.6-3.g.fc17.x86_64
>Target RPM Packages           filesystem-3-2.fc17.x86_64
>Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Permissive
>Host Name                     invincible.tchol.org
>Platform                      Linux invincible.tchol.org 3.3.4-5.fc17.x86_64 #1
>                              SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
>Alert Count                   13
>First Seen                    Mon 07 May 2012 02:48:00 PM MST
>Last Seen                     Sun 13 May 2012 03:41:37 PM MST
>Local ID                      c2c1e632-5aa0-4de2-9c17-1b14fe90ecb8
>
>Raw Audit Messages
>type=AVC msg=audit(1336948897.281:117): avc:  denied  { search } for  pid=7450 comm="man2html" name="man" dev="dm-1" ino=170 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:man_t:s0 tclass=dir
>
>
>type=SYSCALL msg=audit(1336948897.281:117): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7fff32b49230 a2=90800 a3=0 items=0 ppid=7442 pid=7450 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=man2html exe=/usr/lib/man2html/cgi-bin/man/man2html subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: man2html,httpd_t,man_t,dir,search
>
>audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
>
>
>audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

Actions: View

Attachments on bug 821286: 584191