Bug 590105

Summary: SELinux is preventing /usr/sbin/httpd "setattr" access on zend_cache---internal-metadatas---Zend_LocaleL_es_ES_month_gregorian_format_abbreviated.
Product: [Fedora] Fedora Reporter: Miguel Angel Perez <mangelp>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:9e593ccff2f09f9df7fab9b245fd5f6e36bd77bb9c5bd4d48929ab678f9ce580
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-05-10 17:37:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miguel Angel Perez 2010-05-07 18:08:38 UTC 
Resúmen:

SELinux is preventing /usr/sbin/httpd "setattr" access on
zend_cache---internal-metadatas---Zend_LocaleL_es_ES_month_gregorian_format_abbreviated.

Descripción Detallada:

SELinux denied access requested by httpd. It is not expected that this access is
required by httpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Permitiendo Acceso:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Información Adicional:

Contexto Fuente               unconfined_u:system_r:httpd_t:s0
Contexto Destino              unconfined_u:object_r:user_tmp_t:s0
Objetos Destino               zend_cache---internal-metadatas---Zend_LocaleL_es_
                              ES_month_gregorian_format_abbreviated [ file ]
Fuente                        httpd
Dirección de Fuente          /usr/sbin/httpd
Puerto                        <Desconocido>
Nombre de Equipo              (removed)
Paquetes RPM Fuentes          httpd-2.2.14-1.fc12
Paquetes RPM Destinos         
RPM de Políticas             selinux-policy-3.6.32-113.fc12
SELinux Activado              True
Tipo de Política             targeted
Modo Obediente                Enforcing
Nombre de Plugin              catchall
Nombre de Equipo              (removed)
Plataforma                    Linux (removed) 2.6.32.11-99.fc12.i686.PAE
                              #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
Cantidad de Alertas           5
Visto por Primera Vez         vie 07 may 2010 20:06:05 CEST
Visto por Última Vez         vie 07 may 2010 20:06:05 CEST
ID Local                      6197535e-b075-4176-9b2c-a423521381c9
Números de Línea            

Mensajes de Auditoría Crudos 

node=(removed) type=AVC msg=audit(1273255565.253:103): avc:  denied  { setattr } for  pid=3091 comm="httpd" name="zend_cache---internal-metadatas---Zend_LocaleL_es_ES_month_gregorian_format_abbreviated" dev=sda9 ino=312151 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1273255565.253:103): arch=40000003 syscall=15 success=no exit=-13 a0=b55171c0 a1=180 a2=b713ee4c a3=b5518654 items=0 ppid=3079 pid=3091 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  catchall,httpd,httpd_t,user_tmp_t,file,setattr
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t user_tmp_t:file setattr;
Comment 1 Daniel Walsh 2010-05-07 20:32:05 UTC 
I think you have files that are mislabeled?  zend_caceh*  Where are these located?  If you run restorecon -v zend_cache*  Does the context change?
Comment 2 Miguel Angel Perez 2010-05-07 23:03:51 UTC 
(In reply to comment #1)
> I think you have files that are mislabeled?  zend_caceh*  Where are these
> located?  If you run restorecon -v zend_cache*  Does the context change?    

I'm not able to find such file in my filesystem or were it could be. But i've googled a bit andiIt looks like is something related with the ZendFramework (http://framework.zend.com) library I use in a php web site i'm working with.

I think you are right and I have some labeling problem. I have the web site files inside my user account and I have manually set the context httpd_sys_content_t over those files so i can test locally the site with httpd.
Comment 3 Daniel Walsh 2010-05-10 17:37:14 UTC 
Ok if it happens again, reopen the bug, or run restorecon on the file, should fix.