Attachment 590416 Details for Bug 830157 – File: description

File: description

description (text/plain), 7.03 KB, created by Bill Thielman on 2012-06-08 12:10:51 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Bill Thielman

Created: 2012-06-08 12:10:51 UTC

Size: 7.03 KB

patch

obsolete

>SELinux is preventing httpd from 'getattr' accesses on the file /var/www/html/index.html.
>
>*****  Plugin restorecon (94.8 confidence) suggests  *************************
>
>If you want to fix the label. 
>/var/www/html/index.html default label should be httpd_sys_content_t.
>Then you can run restorecon.
>Do
># /sbin/restorecon -v /var/www/html/index.html
>
>*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
>
>If you want to allow httpd to have getattr access on the index.html file
>Then you need to change the label on /var/www/html/index.html
>Do
># semanage fcontext -a -t FILE_TYPE '/var/www/html/index.html'
>where FILE_TYPE is one of the following: var_lib_t, httpd_php_exec_t, httpd_passwd_exec_t, httpd_nagios_htaccess_t, abrt_t, proc_net_t, abrt_etc_t, lib_t, puppet_tmp_t, ld_so_t, sysfs_t, samba_var_t, abrt_helper_exec_t, dirsrv_var_log_t, zarafa_var_lib_t, etc_runtime_t, dirsrv_var_run_t, puppet_var_lib_t, net_conf_t, httpd_var_lib_t, httpd_var_run_t, git_system_content_t, udev_var_run_t, fail2ban_var_lib_t, public_content_t, anon_inodefs_t, systemd_passwd_var_run_t, httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t, sysctl_kernel_t, httpd_modules_t, httpd_user_htaccess_t, textrel_shlib_t, chroot_exec_t, httpd_sys_content_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, rpm_script_tmp_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t, httpd_suexec_exec_t, system_dbusd_var_lib_t, application_exec_type, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, abrt_retrace_worker_exec_t, gitosis_var_lib_t, dirsrvadmin_config_t, httpd_prewikka_htaccess_t, httpd_squid_htaccess_t, httpd_dspam_htaccess_t, httpd_munin_htaccess_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, ld_so_cache_t, dirsrvadmin_unconfined_script_exec_t, mailman_archive_t, cfengine_var_log_t, sosreport_tmp_t, abrt_var_cache_t, user_cron_spool_t, rpm_tmp_t, bin_t, cert_t, cert_t, httpd_t, lib_t, locale_t, httpd_collectd_htaccess_t, httpd_unconfined_script_exec_t, usr_t, etc_t, etc_t, fonts_t, abrt_retrace_spool_t, proc_t, sysfs_t, httpd_rotatelogs_exec_t, httpd_mojomojo_htaccess_t, httpd_smokeping_cgi_htaccess_t, krb5_keytab_t, passenger_exec_t, nagios_etc_t, nagios_log_t, sssd_public_t, sssd_public_t, httpd_keytab_t, abrt_var_run_t, httpd_config_t, cluster_conf_t, tetex_data_t, httpd_mediawiki_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, logfile, httpd_log_t, user_tmp_t, dirsrv_config_t, httpd_tmp_t, sysctl_crypto_t, smokeping_var_lib_t, krb5_conf_t, krb5_conf_t, shell_exec_t, httpd_w3c_validator_htaccess_t, mysqld_etc_t, cvs_data_t, dirsrvadmin_tmp_t, cobbler_etc_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, calamaris_www_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, user_home_t, httpd_squirrelmail_t, httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_script_exec_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_apcupsd_cgi_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_dspam_ra_content_t, httpd_dspam_rw_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_dspam_script_exec_t, httpd_munin_script_exec_t, httpd_collectd_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_collectd_script_exec_t, httpd_mediawiki_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, krb5_host_rcache_t, krb5_host_rcache_t, httpd_apcupsd_cgi_script_exec_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_dirsrvadmin_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_squid_script_exec_t, httpd_dspam_content_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_cobbler_content_t, httpd_collectd_ra_content_t, httpd_collectd_rw_content_t, httpd_nagios_script_exec_t, httpd_awstats_content_t, root_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_bugzilla_script_exec_t, httpd_prewikka_script_exec_t, httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t, httpd_nutups_cgi_content_t, httpd_dirsrvadmin_script_exec_t, httpd_sys_script_exec_t, httpd_git_script_exec_t. 
>Then execute: 
>restorecon -v '/var/www/html/index.html'
>
>
>*****  Plugin catchall (1.44 confidence) suggests  ***************************
>
>If you believe that httpd should be allowed getattr access on the index.html file by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep httpd /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                unconfined_u:object_r:var_t:s0
>Target Objects                /var/www/html/index.html [ file ]
>Source                        httpd
>Source Path                   httpd
>Port                          <Unknown>
>Host                          (removed)
>Source RPM Packages           
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.10.0-86.fc16.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     (removed)
>Platform                      Linux (removed) 3.3.7-1.fc16.i686.PAE #1 SMP
>                              Tue May 22 14:07:22 UTC 2012 i686 i686
>Alert Count                   11
>First Seen                    Fri 08 Jun 2012 07:19:30 AM EDT
>Last Seen                     Fri 08 Jun 2012 07:21:27 AM EDT
>Local ID                      247bb54d-f844-40cf-ba3d-e184557f2b7a
>
>Raw Audit Messages
>type=AVC msg=audit(1339154487.785:338): avc:  denied  { getattr } for  pid=3885 comm="httpd" path="/var/www/html/index.html" dev="dm-2" ino=929216 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
>
>
>Hash: httpd,httpd_t,var_t,file,getattr
>
>audit2allow
>
>#============= httpd_t ==============
>#!!!! This avc is allowed in the current policy
>
>allow httpd_t var_t:file getattr;
>
>audit2allow -R
>
>#============= httpd_t ==============
>#!!!! This avc is allowed in the current policy
>
>allow httpd_t var_t:file getattr;
>

Actions: View

Attachments on bug 830157: 590416