Bug 593867
| Summary: | SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files gui_vhost_error.log. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Clement <spyworldxp> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | dwalsh, jessie.supe, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:bef2edf90e5c7d85a34e45b90ddfa53340e0677cadad4076633c3288ad680654 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-05-20 13:59:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Looks like you have a disk without SELinux labels. Please run restorecon on the disk containing gui_vhost_error.log restorecon -R -v DISKPATH Error fixed. Thanks. |
Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files gui_vhost_error.log. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the httpd access to potentially mislabeled files gui_vhost_error.log. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_lib_t, httpd_var_run_t, user_home_t, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, user_cron_spool_t, httpd_tmp_t, logfile, httpd_squirrelmail_t, rpm_tmp_t, user_tmp_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of gui_vhost_error.log so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'gui_vhost_error.log'. where FILE_TYPE is one of the following: httpd_var_lib_t, httpd_var_run_t, user_home_t, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, user_cron_spool_t, httpd_tmp_t, logfile, httpd_squirrelmail_t, rpm_tmp_t, user_tmp_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:unlabeled_t:s0 Target Objects gui_vhost_error.log [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-114.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Alert Count 4 First Seen Thu 20 May 2010 04:02:09 AM MYT Last Seen Thu 20 May 2010 04:04:19 AM MYT Local ID b1506901-575f-467a-a8bb-1d3e353d2694 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274299459.258:41): avc: denied { append } for pid=3806 comm="httpd" name="gui_vhost_error.log" dev=sda1 ino=265749 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file node=(removed) type=AVC msg=audit(1274299459.258:41): avc: denied { open } for pid=3806 comm="httpd" name="gui_vhost_error.log" dev=sda1 ino=265749 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1274299459.258:41): arch=40000003 syscall=5 success=yes exit=8 a0=1db81c0 a1=88441 a2=1b6 a3=400e items=0 ppid=3805 pid=3806 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,unlabeled_t,file,append audit2allow suggests: #============= httpd_t ============== allow httpd_t unlabeled_t:file { open append };