| Summary: | SELinux prevented httpd (/usr/sbin/httpd) remove_name access to LDX.eyepackage. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | ssabchew <ssabcew> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 13 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:2b2a84500afd70cc802cf381f46a9c245d9d7e21ccb80897d7ff5f54d82acfc0 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-01-24 15:18:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
*** This bug has been marked as a duplicate of bug 672077 *** |
Summary: SELinux prevented httpd (/usr/sbin/httpd) remove_name access to LDX.eyepackage. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux prevented httpd remove_name access to LDX.eyepackage. httpd scripts are not allowed to write to content without explicit labeling of all files. If LDX.eyepackage is writable content. it needs to be labeled httpd_sys_rw_content_t or if all you need is append you can label it httpd_sys_ra_content_t. Please refer to 'man httpd_selinux' for more information on setting up httpd and selinux. Allowing Access: You can alter the file context by executing chcon -R -t httpd_sys_rw_content_t 'LDX.eyepackage' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t httpd_sys_rw_content_t 'LDX.eyepackage'" Fix Command: chcon -R -t httpd_sys_rw_content_t 'LDX.eyepackage' Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_sys_content_t:s0 Target Objects LDX.eyepackage [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.17-1.fc13.1 Target RPM Packages Policy RPM selinux-policy-3.7.19-76.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_write_content Host Name (removed) Platform Linux (removed) 2.6.34.7-66.fc13.x86_64 #1 SMP Wed Dec 15 07:04:30 UTC 2010 x86_64 x86_64 Alert Count 22 First Seen Sun 23 Jan 2011 12:37:52 AM EET Last Seen Sun 23 Jan 2011 01:53:20 AM EET Local ID 9b8863a3-f3d4-4318-9e8b-dd2d7f4c8ae4 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1295740400.554:963): avc: denied { remove_name } for pid=1447 comm="httpd" name="LDX.eyepackage" dev=dm-1 ino=1737637 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1295740400.554:963): avc: denied { rename } for pid=1447 comm="httpd" name="LDX.eyepackage" dev=dm-1 ino=1737637 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1295740400.554:963): arch=c000003e syscall=82 success=yes exit=0 a0=7f1c04826f48 a1=7f1c04924c80 a2=3 a3=7f1c04943d28 items=0 ppid=15854 pid=1447 auid=500 uid=48 gid=487 euid=48 suid=48 fsuid=48 egid=487 sgid=487 fsgid=487 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_write_content,httpd,httpd_t,httpd_sys_content_t,dir,remove_name audit2allow suggests: #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:dir remove_name; #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:file rename;