| Summary: | SELinux is preventing /usr/bin/runcon from using the 'transition' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gavin Romig-Koch <gavin> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, gavin, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:a23278c684459abcc8a4cbb1bb846497792b3c92243bdd71c619e8088ebe8017 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-06-30 20:35:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
just testing f15. you can start apache with runcon using # runcon -u system_u -r system_r -t initrc_t -- runcon -t htppd_t httpd it will do these transition unconfined_t -> initrc_t -> httpd_t |
SELinux is preventing /usr/bin/runcon from using the 'transition' accesses on a process. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that runcon should be allowed transition access on processes labeled httpd_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep runcon /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:httpd_t:s0-s0:c0.c1023 Target Objects /bin/bash [ process ] Source runcon Source Path /usr/bin/runcon Port <Unknown> Host (removed) Source RPM Packages coreutils-8.10-2.fc15 Target RPM Packages bash-4.2.10-4.fc15 Policy RPM selinux-policy-3.9.16-30.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.8-32.fc15.x86_64 #1 SMP Mon Jun 13 19:49:05 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Jun 2011 01:31:50 PM EDT Last Seen Thu 30 Jun 2011 01:31:50 PM EDT Local ID ddeb56cd-652c-4725-a15a-8c4881110bff Raw Audit Messages type=AVC msg=audit(1309455110.544:98): avc: denied { transition } for pid=25151 comm="runcon" path="/bin/bash" dev=dm-1 ino=44363 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1309455110.544:98): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff35ad561c a1=7fff35ad40c0 a2=7fff35ad40d0 a3=0 items=0 ppid=24981 pid=25151 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm=runcon exe=/usr/bin/runcon subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash: runcon,unconfined_t,httpd_t,process,transition audit2allow #============= unconfined_t ============== allow unconfined_t httpd_t:process transition; audit2allow -R #============= unconfined_t ============== allow unconfined_t httpd_t:process transition;