Created attachment 867431 [details] Some of audit.log that appeared related to the httpd issue. Description of problem: After a about a week without rebooting, when I did httpd didn't finish starting. (systemctl restart httpd would hang.) There hasn't been an httpd update since my previous reboot. I am seeing some AVCs that appear related and switching to permissive made things work. I'm relabelling /usr now and will see if that didn't get updated properly in an update or if it appears there is a policy problem. (Though either should be considered a bug.) Version-Release number of selected component (if applicable): httpd-2.4.6-6.fc20.i686 selinux-policy-targeted-3.12.1-126.fc20.noarch
Yes, it is going to be fixed in the next build. Fortunately the update is just in updates-testing so please add negative karma. Thank you for testing.
There might be a related issue with rawhide. iptables, httpd, postgresql, lm_sensors, and console-kit-log-system-start failed to start at boot. iptables wouldn't restart in enforcing mode. When I switched to permissive, I was able to restart all of the listed services.
(In reply to Bruno Wolff III from comment #2) > There might be a related issue with rawhide. iptables, httpd, postgresql, > lm_sensors, and console-kit-log-system-start failed to start at boot. > iptables wouldn't restart in enforcing mode. When I switched to permissive, > I was able to restart all of the listed services. Are you testing with the latest rawhide build?
(In reply to Miroslav Grepl from comment #3) > (In reply to Bruno Wolff III from comment #2) > > There might be a related issue with rawhide. iptables, httpd, postgresql, > > lm_sensors, and console-kit-log-system-start failed to start at boot. > > iptables wouldn't restart in enforcing mode. When I switched to permissive, > > I was able to restart all of the listed services. > > Are you testing with the latest rawhide build? http://koji.fedoraproject.org/koji/buildinfo?buildID=500352
Not yet. I was waiting for rawhide to update, but it looks like it is running late again. If it doesn't show up soon, I'll grab that build from koji and try it out.
I just tested selinux-policy-targeted-3.13.1-26.fc21.noarch and at least httpd won't start in enforcing mode. It does start in permissive. Here is a few of the recent httpd AVCs: type=AVC msg=audit(1393347934.989:66480): avc: denied { search } for pid=11200 comm="/usr/sbin/httpd" name="condor" dev="dm-1" ino=295522 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:condor_var_lib_t:s0 tclass=dir type=AVC msg=audit(1393347935.002:66481): avc: denied { search } for pid=11200 comm="/usr/sbin/httpd" name="munin" dev="dm-1" ino=400958 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:munin_var_lib_t:s0 tclass=dir type=AVC msg=audit(1393347935.118:66482): avc: denied { search } for pid=11200 comm="/usr/sbin/httpd" name="games" dev="dm-1" ino=263468 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:games_data_t:s0 tclass=dir type=AVC msg=audit(1393347935.154:66483): avc: denied { search } for pid=11200 comm="/usr/sbin/httpd" name="ntop" dev="dm-1" ino=2655739 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ntop_var_lib_t:s0 tclass=dir type=AVC msg=audit(1393347935.274:66484): avc: denied { search } for pid=11200 comm="/usr/sbin/httpd" name="vnstat" dev="dm-1" ino=2660030 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:vnstatd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1393347935.333:66485): avc: denied { search } for pid=11200 comm="/usr/sbin/httpd" name="couchdb" dev="dm-1" ino=301317 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:couchdb_var_lib_t:s0 tclass=dir
Created attachment 867556 [details] More complete list of rawhide AVCs It looks like there are other problems than the tmp issue in rawhide. We might need a separate bug for those.
I screwed up. I did the test on the rawhide machine that was in the process of updating selinux-policy instead of the one where it had finished. I am able to restart httpd with selinux-policy-3.13.1-27.fc21.noarch.
selinux-policy-3.12.1-127.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.