| Summary: | SELinux is preventing /usr/local/apache2/bin/httpd from 'open' accesses on the file /usr/local/apache2/htdocs/index.html. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | OoZooL <obliterator666> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 23 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:263b8a407891aba453fb01787e4d1d3cc3ce4336362eb0678fbb600cf118d8cd;VARIANT_ID=workstation; | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-03-29 21:49:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /usr/local/apache2/htdocs/index.html default label should be usr_t. Then you can run restorecon. Do # /sbin/restorecon -v /usr/local/apache2/htdocs/index.html |
Description of problem: I believe it happedned because I have tried to change the context of an SELinux protected area under the home directory of root when testing something with docker... SELinux is preventing /usr/local/apache2/bin/httpd from 'open' accesses on the file /usr/local/apache2/htdocs/index.html. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /usr/local/apache2/htdocs/index.html default label should be usr_t. Then you can run restorecon. Do # /sbin/restorecon -v /usr/local/apache2/htdocs/index.html ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that httpd should be allowed open access on the index.html file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:svirt_lxc_net_t:s0:c328,c778 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects /usr/local/apache2/htdocs/index.html [ file ] Source httpd Source Path /usr/local/apache2/bin/httpd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.11.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.4.6-300.fc23.x86_64 #1 SMP Wed Mar 16 22:10:37 UTC 2016 x86_64 x86_64 Alert Count 1 First Seen 2016-03-27 18:52:24 IDT Last Seen 2016-03-27 18:52:24 IDT Local ID a5789d32-bc6b-4a82-922c-ccc840134391 Raw Audit Messages type=AVC msg=audit(1459093944.307:11692): avc: denied { open } for pid=8319 comm="httpd" path="/usr/local/apache2/htdocs/index.html" dev="dm-1" ino=660767 scontext=system_u:system_r:svirt_lxc_net_t:s0:c328,c778 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 type=SYSCALL msg=audit(1459093944.307:11692): arch=x86_64 syscall=open success=yes exit=ECHILD a0=7f210382f478 a1=80000 a2=0 a3=7f20fe2d7960 items=0 ppid=8236 pid=8319 auid=4294967295 uid=1 gid=1 euid=1 suid=1 fsuid=1 egid=1 sgid=1 fsgid=1 tty=(none) ses=4294967295 comm=httpd exe=/usr/local/apache2/bin/httpd subj=system_u:system_r:svirt_lxc_net_t:s0:c328,c778 key=(null) Hash: httpd,svirt_lxc_net_t,admin_home_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-158.11.fc23.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.4.6-300.fc23.x86_64 type: libreport