SELinux is preventing /usr/bin/eu-unstrip from 'read' accesses on the directory /usr/lib/httpd/modules.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that eu-unstrip should be allowed read access on the modules directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep eu-unstrip /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023
Target Context system_u:object_r:httpd_modules_t:s0
Target Objects /usr/lib/httpd/modules [ dir ]
Source eu-unstrip
Source Path /usr/bin/eu-unstrip
Port <Unknown>
Host (removed)
Source RPM Packages elfutils-0.152-1.fc15
Target RPM Packages httpd-2.2.17-10.fc15.1
Policy RPM selinux-policy-3.9.16-26.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 2.6.38.8-32.fc15.i686
#1 SMP Mon Jun 13 20:01:50 UTC 2011 i686 i686
Alert Count 1
First Seen Tue 21 Jun 2011 02:33:35 PM PDT
Last Seen Tue 21 Jun 2011 02:33:35 PM PDT
Local ID 6e1ee6e9-285a-4d02-b706-3c2ead69fbf7
Raw Audit Messages
type=AVC msg=audit(1308692015.434:724): avc: denied { read } for pid=23709 comm="eu-unstrip" name="modules" dev=dm-0 ino=5767226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir
type=SYSCALL msg=audit(1308692015.434:724): arch=i386 syscall=open success=yes exit=EMFILE a0=903a2c0 a1=8000 a2=0 a3=bf9c84c0 items=0 ppid=23706 pid=23709 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=eu-unstrip exe=/usr/bin/eu-unstrip subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
Hash: eu-unstrip,abrt_t,httpd_modules_t,dir,read
audit2allow
#============= abrt_t ==============
allow abrt_t httpd_modules_t:dir read;
audit2allow -R
#============= abrt_t ==============
allow abrt_t httpd_modules_t:dir read;
I ran into this when I built a new Apache module (mod_jk) from source.
The steps to reproduce this are as follows:
1. Download tomcat-connectors-1.2.31-src from tomcat.apache.org
2. Unpack
3. cd to tomcat-connectors-1.2.31-src/native
4. configure with --with-apxs=/usr/sbin/apxs --with-java-home=/usr/java
(using Oracle's 1.6.0_26)
5. Install by copying (as root) to /etc/httpd/modules (bad model, I know)
6. Execute systemctl restart httpd.service
ls -Z shows that all modules have the same SELinux info:
-rwxr-xr-x. root root system_u:object_r:httpd_modules_t:s0 mod_jk.so
I just rebuilt and re-installed the module. My test web application (simple cluster application with three Tomcats) works as expected. Clustering works as expected.
I did see some unexpected segmentation faults from a few days ago, but nothing that directly relates to the installation. I imagine that this was possibly due to an Apache upgrade during preupgrade and I didn't rebuild this module.
I made a poor choice of policy names when I added the policy (httpdpol), but it doesn't seem to have created a name collision. Unloading it and rerunning the application doesn't raise an alert.
I think I'm going to chalk this up to bad install practice, although I don't see any difference in what was added to /usr/lib/httpd/modules by running make install.
I apologize for what appears to be a false alarm. Please close the bug.
SELinux is preventing /usr/bin/eu-unstrip from 'read' accesses on the directory /usr/lib/httpd/modules. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that eu-unstrip should be allowed read access on the modules directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep eu-unstrip /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:httpd_modules_t:s0 Target Objects /usr/lib/httpd/modules [ dir ] Source eu-unstrip Source Path /usr/bin/eu-unstrip Port <Unknown> Host (removed) Source RPM Packages elfutils-0.152-1.fc15 Target RPM Packages httpd-2.2.17-10.fc15.1 Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38.8-32.fc15.i686 #1 SMP Mon Jun 13 20:01:50 UTC 2011 i686 i686 Alert Count 1 First Seen Tue 21 Jun 2011 02:33:35 PM PDT Last Seen Tue 21 Jun 2011 02:33:35 PM PDT Local ID 6e1ee6e9-285a-4d02-b706-3c2ead69fbf7 Raw Audit Messages type=AVC msg=audit(1308692015.434:724): avc: denied { read } for pid=23709 comm="eu-unstrip" name="modules" dev=dm-0 ino=5767226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir type=SYSCALL msg=audit(1308692015.434:724): arch=i386 syscall=open success=yes exit=EMFILE a0=903a2c0 a1=8000 a2=0 a3=bf9c84c0 items=0 ppid=23706 pid=23709 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=eu-unstrip exe=/usr/bin/eu-unstrip subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: eu-unstrip,abrt_t,httpd_modules_t,dir,read audit2allow #============= abrt_t ============== allow abrt_t httpd_modules_t:dir read; audit2allow -R #============= abrt_t ============== allow abrt_t httpd_modules_t:dir read; I ran into this when I built a new Apache module (mod_jk) from source. The steps to reproduce this are as follows: 1. Download tomcat-connectors-1.2.31-src from tomcat.apache.org 2. Unpack 3. cd to tomcat-connectors-1.2.31-src/native 4. configure with --with-apxs=/usr/sbin/apxs --with-java-home=/usr/java (using Oracle's 1.6.0_26) 5. Install by copying (as root) to /etc/httpd/modules (bad model, I know) 6. Execute systemctl restart httpd.service ls -Z shows that all modules have the same SELinux info: -rwxr-xr-x. root root system_u:object_r:httpd_modules_t:s0 mod_jk.so