| Summary: | SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory /var/lib/chrony. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | John Griffiths <fedora.jrg01> |
| Component: | httpd | Assignee: | Jan Kaluža <jkaluza> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dominick.grift, dwalsh, jkaluza, jorton, lvrabec, mgrepl, pahan |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:76737ffc91dd2d7a74d6a3f7531b14f97c230a78dc609528e3676b6281dffa3a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-21 08:48:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Why is apache executing chrony? I do not know. I only changed the httpd.conf file to add my virtual domain information. Well as bug 768472 shows we have had this problem before. Seems some library or some config triggers apache to start searching all of this system I'm still clueless about what might trigger this. John, can you describe what web applications, languages, and any special configurations used on this machine? *** Bug 1004349 has been marked as a duplicate of this bug. *** I have a pretty full boat system. Apache is configured with Xbit hack and has several virtual domains. Run Glassfish and a third party Java based license server. Use PHP and CubeCart which is a PHP based shopping cart which is installed without using a package directly into the html code directory of the virtual domain that uses it. Also use phpBB forum software which is also installed directly. I use Bugzilla and WebSVN. The packages that are net and web related as far as I know are (some of the PHP packages may not be applicable and I may have missed some): ant-apache-bcel-1.8.4-6.fc19.noarch ant-apache-log4j-1.8.4-6.fc19.noarch ant-apache-oro-1.8.4-6.fc19.noarch ant-apache-regexp-1.8.4-6.fc19.noarch ant-apache-resolver-1.8.4-6.fc19.noarch apache-commons-beanutils-1.8.3-9.fc19.noarch apache-commons-beanutils-javadoc-1.8.3-9.fc19.noarch apache-commons-cli-1.2-9.fc19.noarch apache-commons-codec-1.8-1.fc19.noarch apache-commons-codec-javadoc-1.8-1.fc19.noarch apache-commons-collections-3.2.1-16.fc19.noarch apache-commons-collections-javadoc-3.2.1-16.fc19.noarch apache-commons-compress-1.5-1.fc19.noarch apache-commons-compress-javadoc-1.5-1.fc19.noarch apache-commons-configuration-1.9-4.fc19.noarch apache-commons-configuration-javadoc-1.9-4.fc19.noarch apache-commons-daemon-1.0.13-1.fc19.x86_64 apache-commons-daemon-javadoc-1.0.13-1.fc19.noarch apache-commons-dbcp-1.4-12.fc19.noarch apache-commons-digester-1.8.1-14.fc19.noarch apache-commons-digester-javadoc-1.8.1-14.fc19.noarch apache-commons-discovery-0.5-7.fc19.noarch apache-commons-discovery-javadoc-0.5-7.fc19.noarch apache-commons-el-1.0-26.fc19.noarch apache-commons-el-javadoc-1.0-26.fc19.noarch apache-commons-exec-1.1-8.fc19.noarch apache-commons-exec-javadoc-1.1-8.fc19.noarch apache-commons-fileupload-1.2.2-11.fc19.noarch apache-commons-fileupload-javadoc-1.2.2-11.fc19.noarch apache-commons-io-2.4-9.fc19.noarch apache-commons-io-javadoc-2.4-9.fc19.noarch apache-commons-jexl-2.1.1-5.fc19.noarch apache-commons-jxpath-1.3-15.fc19.noarch apache-commons-lang-2.6-12.fc19.noarch apache-commons-lang3-3.1-5.fc19.noarch apache-commons-lang-javadoc-2.6-12.fc19.noarch apache-commons-launcher-1.1-12.20100521svn936225.fc19.noarch apache-commons-launcher-javadoc-1.1-12.20100521svn936225.fc19.noarch apache-commons-logging-1.1.2-2.fc19.noarch apache-commons-logging-javadoc-1.1.2-2.fc19.noarch apache-commons-math-3.2-1.fc19.noarch apache-commons-math-javadoc-3.2-1.fc19.noarch apache-commons-modeler-2.0.1-11.fc19.noarch apache-commons-net-3.2-4.fc19.noarch apache-commons-net-javadoc-3.2-4.fc19.noarch apache-commons-parent-26-5.fc19.noarch apache-commons-pool-1.6-5.fc19.noarch apache-commons-validator-1.4.0-4.fc19.noarch apache-commons-vfs-2.0-10.fc19.noarch apache-mime4j-0.7.2-7.fc19.noarch apache-parent-10-10.fc19.noarch apache-rat-0.8-10.fc19.noarch apache-rat-core-0.8-10.fc19.noarch apache-rat-plugin-0.8-10.fc19.noarch apache-resource-bundles-2-9.fc19.noarch async-http-client-1.7.14-1.fc19.noarch bugzilla-4.2.6-2.fc19.noarch bugzilla-doc-4.2.6-2.fc19.noarch bugzilla-contrib-4.2.6-2.fc19.noarch gallery2-2.3.2-7.fc19.noarch gallery2-ajaxian-2.3.2-7.fc19.noarch gallery2-albumselect-2.3.2-7.fc19.noarch gallery2-archiveupload-2.3.2-7.fc19.noarch gallery2-captcha-2.3.2-7.fc19.noarch gallery2-carbon-2.3.2-7.fc19.noarch gallery2-cart-2.3.2-7.fc19.noarch gallery2-classic-2.3.2-7.fc19.noarch gallery2-colorpack-2.3.2-7.fc19.noarch gallery2-comment-2.3.2-7.fc19.noarch gallery2-customfield-2.3.2-7.fc19.noarch gallery2-dcraw-2.3.2-7.fc19.noarch gallery2-debug-2.3.2-7.fc19.noarch gallery2-digibug-2.3.2-7.fc19.noarch gallery2-dynamicalbum-2.3.2-7.fc19.noarch gallery2-ecard-2.3.2-7.fc19.noarch gallery2-exif-2.3.2-7.fc19.noarch gallery2-ffmpeg-2.3.2-7.fc19.noarch gallery2-flashvideo-2.3.2-7.fc19.noarch gallery2-floatrix-2.3.2-7.fc19.noarch gallery2-fotokasten-2.3.2-7.fc19.noarch gallery2-gd-2.3.2-7.fc19.noarch gallery2-getid3-2.3.2-7.fc19.noarch gallery2-hidden-2.3.2-7.fc19.noarch gallery2-httpauth-2.3.2-7.fc19.noarch gallery2-hybrid-2.3.2-7.fc19.noarch gallery2-icons-2.3.2-7.fc19.noarch gallery2-imageblock-2.3.2-7.fc19.noarch gallery2-imageframe-2.3.2-7.fc19.noarch gallery2-imagemagick-2.3.2-7.fc19.noarch gallery2-itemadd-2.3.2-7.fc19.noarch gallery2-jpegtran-2.3.2-7.fc19.noarch gallery2-keyalbum-2.3.2-7.fc19.noarch gallery2-linkitem-2.3.2-7.fc19.noarch gallery2-matrix-2.3.2-7.fc19.noarch gallery2-members-2.3.2-7.fc19.noarch gallery2-migrate-2.3.2-7.fc19.noarch gallery2-mime-2.3.2-7.fc19.noarch gallery2-mp3audio-2.3.2-7.fc19.noarch gallery2-multilang-2.3.2-7.fc19.noarch gallery2-multiroot-2.3.2-7.fc19.noarch gallery2-netpbm-2.3.2-7.fc19.noarch gallery2-newitems-2.3.2-7.fc19.noarch gallery2-nokiaupload-2.3.2-7.fc19.noarch gallery2-notification-2.3.2-7.fc19.noarch gallery2-password-2.3.2-7.fc19.noarch gallery2-permalinks-2.3.2-7.fc19.noarch gallery2-photoaccess-2.3.2-7.fc19.noarch gallery2-picasa-2.3.2-7.fc19.noarch gallery2-publishxp-2.3.2-7.fc19.noarch gallery2-quotas-2.3.2-7.fc19.noarch gallery2-randomhighlight-2.3.2-7.fc19.noarch gallery2-rating-2.3.2-7.fc19.noarch gallery2-rearrange-2.3.2-7.fc19.noarch gallery2-register-2.3.2-7.fc19.noarch gallery2-replica-2.3.2-7.fc19.noarch gallery2-reupload-2.3.2-7.fc19.noarch gallery2-rewrite-2.3.2-7.fc19.noarch gallery2-rss-2.3.2-7.fc19.noarch gallery2-search-2.3.2-7.fc19.noarch gallery2-shutterfly-2.3.2-7.fc19.noarch gallery2-siriux-2.3.2-7.fc19.noarch gallery2-sitemap-2.3.2-7.fc19.noarch gallery2-sizelimit-2.3.2-7.fc19.noarch gallery2-slider-2.3.2-7.fc19.noarch gallery2-slideshow-2.3.2-7.fc19.noarch gallery2-snapgalaxy-2.3.2-7.fc19.noarch gallery2-squarethumb-2.3.2-7.fc19.noarch gallery2-thumbnail-2.3.2-7.fc19.noarch gallery2-thumbpage-2.3.2-7.fc19.noarch gallery2-tile-2.3.2-7.fc19.noarch gallery2-useralbum-2.3.2-7.fc19.noarch gallery2-watermark-2.3.2-7.fc19.noarch gallery2-webcam-2.3.2-7.fc19.noarch gallery2-webdav-2.3.2-7.fc19.noarch gallery2-zipcart-2.3.2-7.fc19.noarch glassfish-dtd-parser-1.2-0.6.20120120svn.fc19.noarch graphviz-php-2.30.1-10.fc19.x86_64 httpcomponents-client-4.2.5-1.fc19.noarch httpcomponents-core-4.2.4-3.fc19.noarch httpcomponents-project-6-2.fc19.noarch httpd-2.4.6-2.fc19.x86_64 httpd-devel-2.4.6-2.fc19.x86_64 httpd-manual-2.4.6-2.fc19.noarch httpd-tools-2.4.6-2.fc19.x86_64 httpunit-1.7-11.fc19.noarch iris-1.0.0-0.14.20110904svn812.fc19.x86_64 jakarta-commons-httpclient-3.1-13.fc19.noarch jetty-http-9.0.3-3.fc19.noarch jetty-server-9.0.3-3.fc19.noarch jetty-webapp-9.0.3-3.fc19.noarch jetty-websocket-api-9.0.3-3.fc19.noarch jetty-websocket-common-9.0.3-3.fc19.noarch jetty-websocket-server-9.0.3-3.fc19.noarch jetty-websocket-servlet-9.0.3-3.fc19.noarch kdewebdev-3.5.10-20.fc19.x86_64 kdewebdev-libs-3.5.10-20.fc19.x86_64 kwebkitpart-1.3.2-2.fc19.x86_64 libmicrohttpd-0.9.27-1.fc19.x86_64 libreport-plugin-bugzilla-2.1.6-2.fc19.x86_64 libreport-web-2.1.6-2.fc19.x86_64 libsocialweb-0.25.21-3.fc19.x86_64 libsocialweb-keys-0.25.21-3.fc19.noarch libvncserver-0.9.9-7.fc19.x86_64 libwebp-0.3.1-1.fc19.x86_64 mod_perl-2.0.7-12.20130221svn1448242.fc19.x86_64 mod_perl-devel-2.0.7-12.20130221svn1448242.fc19.x86_64 mono-web-2.10.8-4.fc19.x86_64 obex-data-server-0.4.6-5.fc19.x86_64 objectweb-asm-3.3.1-7.fc19.noarch objectweb-asm4-4.1-3.fc19.noarch openssh-server-6.2p2-5.fc19.x86_64 perl-HTTP-Body-1.07-10.fc19.noarch perl-HTTP-Cookies-6.01-5.fc19.noarch perl-HTTP-Daemon-6.01-5.fc19.noarch perl-HTTP-Date-6.02-5.fc19.noarch perl-HTTP-Message-6.06-3.fc19.noarch perl-HTTP-Negotiate-6.01-5.fc19.noarch perl-HTTP-Server-Simple-0.44-6.fc19.noarch perl-HTTP-Server-Simple-PSGI-0.14-7.fc19.noarch perl-HTTP-Tiny-0.017-265.fc19.noarch perl-Net-HTTP-6.06-1.fc19.noarch perl-Net-Server-2.007-1.fc19.noarch php-5.5.3-1.fc19.x86_64 php-cli-5.5.3-1.fc19.x86_64 php-common-5.5.3-1.fc19.x86_64 php-devel-5.5.3-1.fc19.x86_64 php-gd-5.5.3-1.fc19.x86_64 php-geshi-1.0.8.11-3.fc19.noarch php-ldap-5.5.3-1.fc19.x86_64 php-mbstring-5.5.3-1.fc19.x86_64 php-mcrypt-5.5.3-1.fc19.x86_64 php-mysqlnd-5.5.3-1.fc19.x86_64 php-odbc-5.5.3-1.fc19.x86_64 php-pdo-5.5.3-1.fc19.x86_64 php-pear-1.9.4-20.fc19.noarch php-pear-Mail-Mime-1.8.8-1.fc19.noarch php-pear-Text-Diff-1.1.1-7.fc19.noarch php-pecl-jsonc-1.3.1-1.fc19.x86_64 php-pecl-jsonc-devel-1.3.1-1.fc19.x86_64 php-pgsql-5.5.3-1.fc19.x86_64 php-process-5.5.3-1.fc19.x86_64 php-Smarty2-2.6.27-1.fc19.noarch php-Smarty-3.1.14-1.fc19.noarch php-xml-5.5.3-1.fc19.x86_64 python-bugzilla-0.9.0-1.fc19.noarch python-httplib2-0.7.7-2.fc19.noarch python-twisted-web-12.2.0-2.fc19.x86_64 pywebkitgtk-1.1.8-5.fc19.x86_64 qjdns-1.0.0-0.14.20110904svn812.fc19.x86_64 qtwebkit-2.3.2-1.fc19.x86_64 qtwebkit-devel-2.3.2-1.fc19.x86_64 system-config-httpd-1.5.5-5.fc19.noarch tigervnc-server-1.3.0-3.fc19.x86_64 tigervnc-server-minimal-1.3.0-3.fc19.x86_64 vpnc-0.5.3-17.svn457.fc19.x86_64 vpnc-script-0.5.3-17.svn457.fc19.noarch webalizer-2.23_05-7.fc19.x86_64 webkitgtk-2.0.4-1.fc19.x86_64 webkitgtk3-2.0.4-1.fc19.x86_64 webrtc-audio-processing-0.1-4.fc19.x86_64 websvn-2.3.3-5.fc19.noarch xmlrpc-c-1.32.5-1901.svn2451.fc19.x86_64 xmlrpc-c-client-1.32.5-1901.svn2451.fc19.x86_64 Some of your applications running using httpd is trying to search /var/lib/chrony. Httpd itself has no reason and no code to do that. The only recommendation I can give you is to try to find out when does that happen and be able to reproduce it. Once you are able to reproduce it, you could stop some of the applications (unload possible 3rd party modules or disable some virtual hosts) you have there for short time, reproduce it again and see if it changed anything. In complex case like this I don't see any other way to find out what's causing this problem. You could also add a dontaudit rule to ignore it, since it is not dangerous. # grep chrony /var/log/audit/audit.log | audit2allow -D -m myhttp # semodule -i myhttp.pp Miroslav we see these often enough maybe we want to add a boolean that says httpd_dontaudit_search_dirs And then allow users to files_dontaudit_search_non_security_dirs(httpd_t) This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component. It has not been proved to be a bug in httpd and we are not able to reproduce it. I'm closing this bug as NOTABUG. If you will find simple way how to reproduce this bug with clean httpd installation, feel free to reopen. |
Description of problem: SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory /var/lib/chrony. Do not know if this should be allowed or not. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that httpd should be allowed search access on the chrony directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:chronyd_var_lib_t:s0 Target Objects /var/lib/chrony [ dir ] Source /usr/sbin/httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.4.6-2.fc19.x86_64 Target RPM Packages chrony-1.29-1.fc19.x86_64 Policy RPM selinux-policy-3.12.1-73.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed Aug 21 19:27:58 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-09-01 03:19:05 EDT Last Seen 2013-09-01 03:19:05 EDT Local ID c64d99e1-eae1-4794-b000-0c282ea999cc Raw Audit Messages type=AVC msg=audit(1378019945.558:9797): avc: denied { search } for pid=8317 comm="/usr/sbin/httpd" name="chrony" dev="dm-1" ino=6555924 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:chronyd_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1378019945.558:9797): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f621bcb6680 a1=7fff913c40b0 a2=7fff913c40b0 a3=fffffe00 items=0 ppid=1407 pid=8317 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=/usr/sbin/httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: /usr/sbin/httpd,httpd_t,chronyd_var_lib_t,dir,search Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.10-200.fc19.x86_64 type: libreport Potential duplicate: bug 768472