Bug 654829

Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /srv/joomla/index.php.
Product: [Fedora] Fedora Reporter: Yuriy V Skv <skvlnx>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:a7e4181bc3627395096891d9a023b67ab5eff642b70f13e2f8580f33fbf58dc6
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-18 20:31:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yuriy V Skv 2010-11-18 20:26:28 UTC 
Summary:

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
/srv/joomla/index.php.

Detailed Description:

SELinux has denied the httpd access to potentially mislabeled files
/srv/joomla/index.php. This means that SELinux will not allow httpd to use these
files. If httpd should be allowed this access to these files you should change
the file context to one of the following types, dirsrv_var_log_t, net_conf_t,
logfile, rpm_tmp_t, public_content_t, anon_inodefs_t, sysctl_kernel_t,
httpd_modules_t, etc_runtime_t, dirsrv_var_run_t, httpd_var_lib_t,
httpd_var_run_t, ld_so_cache_t, user_tmp_t, httpd_suexec_exec_t,
httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t, application_exec_type,
httpd_user_htaccess_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t,
chroot_exec_t, gitosis_var_lib_t, dirsrvadmin_config_t, httpd_sys_content_t,
httpd_squid_htaccess_t, public_content_rw_t, httpd_munin_htaccess_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_archive_t,
mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_t, lib_t, httpd_prewikka_htaccess_t,
user_home_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, tmp_t,
usr_t, httpd_rotatelogs_exec_t, httpd_smokeping_cgi_htaccess_t, nagios_etc_t,
nagios_log_t, abrt_var_run_t, sssd_public_t, ping_exec_t, httpd_keytab_t,
locale_t, httpd_unconfined_script_exec_t, cluster_conf_t, etc_t, fonts_t,
proc_t, sysfs_t, fonts_cache_t, httpd_mojomojo_htaccess_t, httpd_exec_t,
httpd_lock_t, httpd_log_t, krb5_keytab_t, passenger_exec_t, dirsrv_config_t,
sysctl_crypto_t, ssh_exec_t, krb5_conf_t, httpd_config_t, user_tmp_t,
httpd_mediawiki_htaccess_t, abrt_t, lib_t, udev_tbl_t, httpd_tmp_t,
calamaris_www_t, fail2ban_var_lib_t, httpd_cache_t, httpd_tmpfs_t,
smokeping_var_lib_t, shell_exec_t, iso9660_t, httpd_w3c_validator_htaccess_t,
abrt_helper_exec_t, mysqld_etc_t, cvs_data_t, var_lib_t, cobbler_etc_t,
sendmail_exec_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_t,
httpd_dirsrvadmin_script_exec_t, user_cron_spool_t, httpd_squirrelmail_t,
textrel_shlib_t, httpd_php_exec_t, httpd_nagios_htaccess_t, rpm_script_tmp_t,
httpd_mediawiki_tmp_t, httpd_zarafa_htaccess_t, samba_var_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_mediawiki_script_exec_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t,
httpd_apcupsd_cgi_content_t, httpd_mediawiki_ra_content_t,
httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, httpd_apcupsd_cgi_ra_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_content_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_mediawiki_content_t,
krb5_host_rcache_t, httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_nagios_script_exec_t,
httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, root_t. Many third
party apps install html files in directories that SELinux policy cannot predict.
These directories have to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of /srv/joomla/index.php so that the
httpd daemon can access it, you need to execute it using semanage fcontext -a -t
FILE_TYPE '/srv/joomla/index.php'.
where FILE_TYPE is one of the following: dirsrv_var_log_t, net_conf_t, logfile,
rpm_tmp_t, public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t,
etc_runtime_t, dirsrv_var_run_t, httpd_var_lib_t, httpd_var_run_t,
ld_so_cache_t, user_tmp_t, httpd_suexec_exec_t, httpd_awstats_htaccess_t,
httpd_dirsrvadmin_htaccess_t, application_exec_type, httpd_user_htaccess_t,
httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, chroot_exec_t,
gitosis_var_lib_t, dirsrvadmin_config_t, httpd_sys_content_t,
httpd_squid_htaccess_t, public_content_rw_t, httpd_munin_htaccess_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_archive_t,
mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_t, lib_t, httpd_prewikka_htaccess_t,
user_home_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, tmp_t,
usr_t, httpd_rotatelogs_exec_t, httpd_smokeping_cgi_htaccess_t, nagios_etc_t,
nagios_log_t, abrt_var_run_t, sssd_public_t, ping_exec_t, httpd_keytab_t,
locale_t, httpd_unconfined_script_exec_t, cluster_conf_t, etc_t, fonts_t,
proc_t, sysfs_t, fonts_cache_t, httpd_mojomojo_htaccess_t, httpd_exec_t,
httpd_lock_t, httpd_log_t, krb5_keytab_t, passenger_exec_t, dirsrv_config_t,
sysctl_crypto_t, ssh_exec_t, krb5_conf_t, httpd_config_t, user_tmp_t,
httpd_mediawiki_htaccess_t, abrt_t, lib_t, udev_tbl_t, httpd_tmp_t,
calamaris_www_t, fail2ban_var_lib_t, httpd_cache_t, httpd_tmpfs_t,
smokeping_var_lib_t, shell_exec_t, iso9660_t, httpd_w3c_validator_htaccess_t,
abrt_helper_exec_t, mysqld_etc_t, cvs_data_t, var_lib_t, cobbler_etc_t,
sendmail_exec_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_t,
httpd_dirsrvadmin_script_exec_t, user_cron_spool_t, httpd_squirrelmail_t,
textrel_shlib_t, httpd_php_exec_t, httpd_nagios_htaccess_t, rpm_script_tmp_t,
httpd_mediawiki_tmp_t, httpd_zarafa_htaccess_t, samba_var_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_mediawiki_script_exec_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t,
httpd_apcupsd_cgi_content_t, httpd_mediawiki_ra_content_t,
httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, httpd_apcupsd_cgi_ra_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_content_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_mediawiki_content_t,
krb5_host_rcache_t, httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_nagios_script_exec_t,
httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, root_t. You can
look at the httpd_selinux man page for additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /srv/joomla/index.php [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.2.17-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-10.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.6-48.fc14.x86_64 #1
                              SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 18 Nov 2010 11:25:20 PM MSK
Last Seen                     Thu 18 Nov 2010 11:25:35 PM MSK
Local ID                      21bf6e2a-7c4d-4def-9b4a-7824fe674923
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1290111935.708:6077): avc:  denied  { getattr } for  pid=23756 comm="httpd" path="/srv/joomla/index.php" dev=sda2 ino=9282 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1290111935.708:6077): arch=c000003e syscall=6 success=no exit=-13 a0=7f5f6e68a350 a1=7fff5376ec80 a2=7fff5376ec80 a3=fffffffffffff368 items=0 ppid=23748 pid=23756 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=229 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  httpd_bad_labels,httpd,httpd_t,var_t,file,getattr
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t var_t:file getattr;
Comment 1 Daniel Walsh 2010-11-18 20:31:10 UTC 
You want to setup labeling for this directory

# semanage fcontext -a -t httpd_sys_content_t '/var/joomla(/.*)?'
# restorecon -R -v /var/joomla

Is this a standard location for joomla?  What is joomla?