| Summary: | SELinux is preventing /usr/sbin/httpd from 'remove_name' accesses on the directory cgisock.2057. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robert Martin <Robert-Martin> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dominick.grift, dwalsh, mgrepl, Robert-Martin |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:dfb497e620dbadad129ca5b22278c2bb1342300c014f00bb624fb3f31ab98aa3 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-24 17:35:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
This is related to #707307 It was not able to create the sock file but it was able to create the directory entry. When it figured it could not create the sock file it tried to remove the directory entry but was not allowed that. *** This bug has been marked as a duplicate of bug 707307 *** |
SELinux is preventing /usr/sbin/httpd from 'remove_name' accesses on the directory cgisock.2057. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that httpd should be allowed remove_name access on the cgisock.2057 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:httpd_log_t:s0 Target Objects cgisock.2057 [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.17-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-40.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.13-91.fc14.i686 #1 SMP Tue May 3 13:36:36 UTC 2011 i686 i686 Alert Count 1 First Seen Tue 24 May 2011 09:42:43 AM CDT Last Seen Tue 24 May 2011 09:42:43 AM CDT Local ID aa1c12ea-db24-4f2a-9e78-a716f80b514a Raw Audit Messages type=AVC msg=audit(1306248163.602:195): avc: denied { remove_name } for pid=2057 comm="httpd" name="cgisock.2057" dev=dm-0 ino=679205 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir type=SYSCALL msg=audit(1306248163.602:195): arch=i386 syscall=unlink success=no exit=EACCES a0=b6012808 a1=ffffff74 a2=81cdfc a3=1530190 items=0 ppid=1 pid=2057 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,httpd_log_t,dir,remove_name audit2allow #============= httpd_t ============== allow httpd_t httpd_log_t:dir remove_name; audit2allow -R #============= httpd_t ============== allow httpd_t httpd_log_t:dir remove_name;