Hide Forgot
Description of problem: /var/lib/mirrormanager/mirrorlists/ is generated by a cronjob and served as HTTP content. selinux policy doesn't let this content be served by HTTP. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-231.el6.noarch, though anticipated in Fedora as well. How reproducible: always Steps to Reproduce: 1. run mirrormanager with content in the database 2. run mirrormanager update-static-content script, which creates /var/lib/mirrormanager/mirrorlists/ Actual results: content created, but can't be served by httpd Expected results: content served by httpd Additional info: semanage fcontext -a -t httpd_sys_content_t '/var/lib/mirrormanager/mirrorlists(/.*)?' resolves this. Thanks, Matt
One more please: semanage fcontext -a -t httpd_sys_content_t '/var/log/mirrormanager/crawler(/.*)?' (or I could move the crawler logs to somewhere besides /var/log I suppose, such as under /var/lib/mirrormanager/crawler/* if that would be preferred).
Added mirrormanager policy to Rawhide.
Matt, any chance to test this policy in rawhide?
Miroslav and Dan, thanks for the quick turnaround. selinux-policy-targeted-3.13.1-11.fc21.noarch Three issues I still see: 1) httpd (mirrormanager.wsgi application) failed to open its socket file in /var/run/mirrormanager/. [Wed Jan 08 11:59:44.112258 2014] [:alert] [pid 5240] (13)Permission denied: mod_wsgi (pid=5240): Couldn't bind unix domain socket '/var/run/mirrormanager/wsgi.5240.0.1.sock'. # audit2why -a -v type=AVC msg=audit(1389200384.110:652): avc: denied { search } for pid=5240 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. 2) httpd (mirrorlist_client.wsgi application) fails to open a socket created by the mirrormanager_server process, in /var/run/mirrormanager/mirrorlist_server.sock. type=AVC msg=audit(1389201478.910:694): avc: denied { search } for pid=5364 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1389201478.910:694): arch=c000003e syscall=87 success=no exit=-13 a0=7f667f458208 a1=7f667f458320 a2=14f4 a3=0 items=0 ppid=1 pid=5364 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201478.910:695): avc: denied { search } for pid=5364 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1389201478.910:695): arch=c000003e syscall=87 success=no exit=-13 a0=7f667f3b4620 a1=7f667f3b4738 a2=14f4 a3=b1 items=0 ppid=1 pid=5364 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=ANOM_ABEND msg=audit(1389201479.055:696): auid=4294967295 uid=48 gid=48 ses=4294967295 subj=system_u:system_r:httpd_t:s0 pid=5564 comm="httpd" reason="memory violation" sig=11 type=ANOM_ABEND msg=audit(1389201479.057:697): auid=4294967295 uid=48 gid=48 ses=4294967295 subj=system_u:system_r:httpd_t:s0 pid=5550 comm="httpd" reason="memory violation" sig=11 type=AVC msg=audit(1389201479.057:698): avc: denied { lock } for pid=5493 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=30996 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389201479.057:698): arch=c000003e syscall=72 success=no exit=-13 a0=9 a1=7 a2=7f667c110e40 a3=7f666eafcba0 items=0 ppid=5364 pid=5493 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201479.071:699): avc: denied { lock } for pid=5444 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=30996 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389201479.071:699): arch=c000003e syscall=72 success=no exit=-13 a0=9 a1=7 a2=7f667c110e40 a3=7f666eafd9d0 items=0 ppid=5364 pid=5444 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201479.080:700): avc: denied { lock } for pid=5506 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=30996 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389201479.080:700): arch=c000003e syscall=72 success=no exit=-13 a0=9 a1=7 a2=7f667c110e40 a3=7f666eafd9d0 items=0 ppid=5364 pid=5506 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201479.082:701): avc: denied { lock } for pid=5538 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E322E6C6F636B202864656C6574656429 dev="tmpfs" ino=31011 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389201479.082:701): arch=c000003e syscall=72 success=no exit=-13 a0=b a1=7 a2=7f667c110e40 a3=1 items=0 ppid=5364 pid=5538 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201479.082:702): avc: denied { lock } for pid=5535 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353336342E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=30996 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389201479.082:702): arch=c000003e syscall=72 success=no exit=-13 a0=9 a1=7 a2=7f667c110e40 a3=7f666eafcba0 items=0 ppid=5364 pid=5535 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=SERVICE_STOP msg=audit(1389201479.194:703): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1389201479.262:704): avc: denied { search } for pid=5723 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1389201479.262:704): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fff21403a70 a2=6e a3=7fa231a29852 items=0 ppid=1 pid=5723 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=SERVICE_START msg=audit(1389201479.263:705): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1389201507.985:706): avc: denied { search } for pid=5724 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1389201507.985:706): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fff21403660 a2=6e a3=fffffffffffff7cf items=0 ppid=5723 pid=5724 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=MAC_STATUS msg=audit(1389201542.985:707): enforcing=0 old_enforcing=1 auid=1000 ses=7 type=SYSCALL msg=audit(1389201542.985:707): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fffbadd98c0 a2=1 a3=7fffbadd9680 items=0 ppid=5134 pid=5732 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=7 tty=pts0 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1389201544.924:708): avc: denied { search } for pid=5726 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1389201544.924:708): arch=c000003e syscall=42 success=no exit=-2 a0=b a1=7fff21403660 a2=6e a3=fffffffffffff7cf items=0 ppid=5723 pid=5726 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=USER_AVC msg=audit(1389201549.499:709): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=SERVICE_STOP msg=audit(1389201555.540:710): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1389201555.604:711): avc: denied { write } for pid=5751 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=AVC msg=audit(1389201555.604:711): avc: denied { add_name } for pid=5751 comm="httpd" name="wsgi.5751.0.1.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=AVC msg=audit(1389201555.604:711): avc: denied { create } for pid=5751 comm="httpd" name="wsgi.5751.0.1.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1389201555.604:711): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7fff0340ac80 a2=6e a3=7f19ed5be852 items=0 ppid=1 pid=5751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201555.605:712): avc: denied { setattr } for pid=5751 comm="httpd" name="wsgi.5751.0.1.sock" dev="tmpfs" ino=27597 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1389201555.605:712): arch=c000003e syscall=92 success=yes exit=0 a0=7f19fc0ba620 a1=30 a2=ffffffff a3=7f19ed5be852 items=0 ppid=1 pid=5751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201555.605:713): avc: denied { create } for pid=5751 comm="httpd" name="wsgi.5751.0.1.lock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=AVC msg=audit(1389201555.605:713): avc: denied { write open } for pid=5751 comm="httpd" path="/run/mirrormanager/wsgi.5751.0.1.lock" dev="tmpfs" ino=27598 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389201555.605:713): arch=c000003e syscall=2 success=yes exit=9 a0=7f19fc0ba708 a1=800c1 a2=1a4 a3=7fff0340a8a0 items=0 ppid=1 pid=5751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201555.605:714): avc: denied { remove_name } for pid=5751 comm="httpd" name="wsgi.5751.0.1.lock" dev="tmpfs" ino=27598 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=AVC msg=audit(1389201555.605:714): avc: denied { unlink } for pid=5751 comm="httpd" name="wsgi.5751.0.1.lock" dev="tmpfs" ino=27598 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389201555.605:714): arch=c000003e syscall=87 success=yes exit=0 a0=7f19fc0ba708 a1=0 a2=7f19fc0ba678 a3=7fff0340a8a0 items=0 ppid=1 pid=5751 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201555.678:715): avc: denied { lock } for pid=5782 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E353735312E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=27598 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389201555.678:715): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=7 a2=7f19f93dae60 a3=7f19ebdc79d0 items=0 ppid=5751 pid=5782 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=SERVICE_START msg=audit(1389201555.844:716): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1389201557.424:717): avc: denied { write } for pid=5921 comm="httpd" name="wsgi.5751.0.1.sock" dev="tmpfs" ino=27597 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1389201557.424:717): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7fff0340a870 a2=6e a3=fffffffffffff7cf items=0 ppid=5751 pid=5921 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389201557.505:718): avc: denied { connectto } for pid=5782 comm="httpd" path="/run/mirrormanager/mirrorlist_server.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1389201557.505:718): arch=c000003e syscall=42 success=yes exit=0 a0=d a1=7f19ebdc6320 a2=2f a3=0 items=0 ppid=5751 pid=5782 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) 3) I need to add setsebool -P httpd_can_network_connect_db 1 Should I just add this to the mirrormanager.spec %post ?
What is a path to mirrormanager apache scripts?
/usr/share/mirrormanager/server/mirrormanager.wsgi (the main TurboGears-based application) /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi (the WSGI responsible for answering http:///mirrorlist and /metalink requests.
Could you try to add # cat mypol.te policy_module(mypol,1.0) apache_content_template(mirrormanager) and run # make -f /usr/share/selinux/devel/Makefile mypol.pp # semodule -i mypol.pp # chcon -t mirrormanager_script_exec_t /usr/share/mirrormanager/server/mirrormanager.wsgi /usr/share/mirrormanager/mirrorlist-server/mirrorlist_client.wsgi and re-test it? Thank you.
Thanks Miroslav. Still getting failures: type=AVC msg=audit(1389643301.501:1636): avc: denied { search } for pid=6321 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1389643301.509:1637): avc: denied { lock } for pid=6400 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E363332312E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=32973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1389643301.529:1638): avc: denied { search } for pid=6321 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1389643301.581:1639): avc: denied { lock } for pid=6382 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E363332312E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=32973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1389643301.586:1640): avc: denied { lock } for pid=6453 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E363332312E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=32973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1389643301.705:1642): avc: denied { search } for pid=18438 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access.
It was in permissive mode?
I just added an allow rule for this. Should be fixed in next update.
Miroslav: it was in enforcing mode when I tried with the above, not Permissive. Dan - thanks for the update. I ran selinux-policy-targeted-3.13.1-13.fc21.noarch and upon starting httpd, still get this: type=AVC msg=audit(1389831664.478:2486): avc: denied { search } for pid=1125 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1389831664.478:2486): arch=c000003e syscall=49 success=no exit=-13 a0=8 a1=7fff27fec9b0 a2=6e a3=0 items=0 ppid=1 pid=1125 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=SERVICE_START msg=audit(1389831664.479:2487): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1389831887.806:2488): avc: denied { search } for pid=1127 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1389831887.806:2488): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7fff27fec5a0 a2=6e a3=fffffffffffff54b items=0 ppid=1125 pid=1127 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) and I note that /var/run/mirrormanager does not have the WSGI sockets for either of the two WSGI apps that I would have expected it to have. After switching to permissive, and restarting httpd, hitting each of the two WSGI URLs, I get: type=SYSCALL msg=audit(1389831947.083:2489): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7fff85746670 a2=1 a3=7fff85746430 items=0 ppid=1050 pid=1147 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=187 tty=pts0 comm="setenforce" exe="/usr/sbin/setenforce" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=USER_AVC msg=audit(1389831951.007:2490): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=SERVICE_STOP msg=audit(1389831952.045:2491): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1389831952.113:2492): avc: denied { search } for pid=1165 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=AVC msg=audit(1389831952.113:2492): avc: denied { write } for pid=1165 comm="httpd" name="mirrormanager" dev="tmpfs" ino=17748 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=AVC msg=audit(1389831952.113:2492): avc: denied { add_name } for pid=1165 comm="httpd" name="wsgi.1165.0.1.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=AVC msg=audit(1389831952.113:2492): avc: denied { create } for pid=1165 comm="httpd" name="wsgi.1165.0.1.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1389831952.113:2492): arch=c000003e syscall=49 success=yes exit=0 a0=8 a1=7fff0d79de50 a2=6e a3=0 items=0 ppid=1 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389831952.113:2493): avc: denied { setattr } for pid=1165 comm="httpd" name="wsgi.1165.0.1.sock" dev="tmpfs" ino=143702 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1389831952.113:2493): arch=c000003e syscall=92 success=yes exit=0 a0=7f2ef91857f8 a1=30 a2=ffffffff a3=0 items=0 ppid=1 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389831952.113:2494): avc: denied { create } for pid=1165 comm="httpd" name="wsgi.1165.0.1.lock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=AVC msg=audit(1389831952.113:2494): avc: denied { write open } for pid=1165 comm="httpd" path="/run/mirrormanager/wsgi.1165.0.1.lock" dev="tmpfs" ino=143703 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389831952.113:2494): arch=c000003e syscall=2 success=yes exit=9 a0=7f2ef91858e0 a1=800c1 a2=1a4 a3=7fff0d79da70 items=0 ppid=1 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389831952.113:2495): avc: denied { remove_name } for pid=1165 comm="httpd" name="wsgi.1165.0.1.lock" dev="tmpfs" ino=143703 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=dir type=AVC msg=audit(1389831952.113:2495): avc: denied { unlink } for pid=1165 comm="httpd" name="wsgi.1165.0.1.lock" dev="tmpfs" ino=143703 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389831952.113:2495): arch=c000003e syscall=87 success=yes exit=0 a0=7f2ef91858e0 a1=0 a2=7f2ef9185850 a3=7fff0d79da70 items=0 ppid=1 pid=1165 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389831952.199:2496): avc: denied { lock } for pid=1192 comm="httpd" path=2F72756E2F6D6972726F726D616E616765722F777367692E313136352E302E312E6C6F636B202864656C6574656429 dev="tmpfs" ino=143703 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=file type=SYSCALL msg=audit(1389831952.199:2496): arch=c000003e syscall=72 success=yes exit=0 a0=9 a1=7 a2=7f2ef7b5de60 a3=7f2eea547ba0 items=0 ppid=1165 pid=1192 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=SERVICE_START msg=audit(1389831952.345:2497): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="httpd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1389831968.318:2498): avc: denied { write } for pid=1328 comm="httpd" name="wsgi.1165.0.1.sock" dev="tmpfs" ino=143702 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_run_t:s0 tclass=sock_file type=SYSCALL msg=audit(1389831968.318:2498): arch=c000003e syscall=42 success=yes exit=0 a0=c a1=7fff0d79da40 a2=6e a3=fffffffffffff54b items=0 ppid=1165 pid=1328 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389831968.399:2499): avc: denied { connectto } for pid=1192 comm="httpd" path="/run/mirrormanager/mirrorlist_server.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1389831968.399:2499): arch=c000003e syscall=42 success=yes exit=0 a0=d a1=7f2eea547320 a2=2f a3=0 items=0 ppid=1165 pid=1192 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1389831974.783:2500): avc: denied { read } for pid=1349 comm="httpd" name="mirrormanager" dev="dm-1" ino=659395 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:mirrormanager_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1389831974.783:2500): arch=c000003e syscall=257 success=yes exit=15 a0=ffffffffffffff9c a1=7f2ee571f9f0 a2=90800 a3=0 items=0 ppid=1165 pid=1349 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
I added additional rules.