Bug 1126259 - SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory .
Summary: SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory .
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:f8db30ea2d9a96b911d2c148424...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-04 02:58 UTC by cutnioff
Modified: 2014-11-25 11:03 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.12.1-183.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-09-03 12:48:49 UTC
Type: ---

Attachments (Terms of Use)

Description cutnioff 2014-08-04 02:58:08 UTC
Description of problem:
SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory .

*****  Plugin catchall (100. confidence) suggests   **************************

If вы считаете, что httpd следует разрешить доступ search к  directory по умолчанию.
Then рекомендуется создать отчет об ошибке.
Чтобы разрешить доступ, можно создать локальный модуль политики.
чтобы разрешить доступ, выполните:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:openvpn_etc_t:s0
Target Objects                 [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.4.10-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-179.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.15.6-200.fc20.x86_64 #1 SMP Fri
                              Jul 18 02:36:27 UTC 2014 x86_64 x86_64
Alert Count                   11
First Seen                    2014-07-28 13:15:36 YEKT
Last Seen                     2014-08-03 03:42:05 YEKT
Local ID                      0657c831-986d-4ce6-b3d1-27d3e991408c

Raw Audit Messages
type=AVC msg=audit(1407015725.362:1058): avc:  denied  { search } for  pid=2780 comm="httpd" name="openvpn" dev="dm-0" ino=3932242 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=dir

type=SYSCALL msg=audit(1407015725.362:1058): arch=x86_64 syscall=stat success=no exit=ENOENT a0=7ff413da9b90 a1=7ffff4185730 a2=7ffff4185730 a3=0 items=0 ppid=1405 pid=2780 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,openvpn_etc_t,dir,search

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.15.6-200.fc20.x86_64
type:           libreport

Potential duplicate: bug 817333

Comment 1 Miroslav Grepl 2014-08-04 06:42:58 UTC
Did it happen by default or did you setup apache module?

Comment 2 cutnioff 2014-08-04 08:07:54 UTC
I didn't setup modules manually. So I can tell: by default.
(In reply to Miroslav Grepl from comment #1)
> Did it happen by default or did you setup apache module?

Comment 3 Miroslav Grepl 2014-09-01 17:33:57 UTC
Did everything work correctly?

Comment 4 Daniel Walsh 2014-09-03 09:34:53 UTC
Apache searches everywhere somewhat randomly, never quite figured out why,  In F21/Rawhide we allow httpd to search all directories, since apache content could be anywhere, I think we should just allow this

Comment 5 Lukas Vrabec 2014-09-03 12:48:49 UTC
Fix is included in actual stable build. 

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t openvpn_etc_t:dir search;

Comment 6 cutnioff 2014-11-25 11:03:40 UTC
This message clear anactual needinfo reqs.

Note You need to log in before you can comment on or make changes to this bug.