Red Hat Bugzilla – Bug 1310297
SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file mirdesign.sock-0.
Last modified: 2016-06-28 14:00:46 EDT
Description of problem: Lighttpd should be allowed to create socket in /var/lib/lighttpd/sockets. SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file mirdesign.sock-0. ***** Plugin catchall (100. confidence) suggests ************************** If vous pensez que lighttpd devrait être autorisé à accéder create sur mirdesign.sock-0 sock_file par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep lighttpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:httpd_var_lib_t:s0 Target Objects mirdesign.sock-0 [ sock_file ] Source lighttpd Source Path /usr/sbin/lighttpd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.3.5-300.fc23.x86_64 #1 SMP Mon Feb 1 03:18:41 UTC 2016 x86_64 x86_64 Alert Count 4 First Seen 2016-02-20 00:35:38 EST Last Seen 2016-02-20 00:42:54 EST Local ID 88228f11-e43a-4409-b59e-2e5fe3998043 Raw Audit Messages type=AVC msg=audit(1455946974.142:970): avc: denied { create } for pid=1962 comm="lighttpd" name="mirdesign.sock-0" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=sock_file permissive=0 type=SYSCALL msg=audit(1455946974.142:970): arch=x86_64 syscall=bind success=no exit=EACCES a0=5 a1=7ffe385e5100 a2=2c a3=ffffffff items=0 ppid=1 pid=1962 auid=4294967295 uid=970 gid=967 euid=970 suid=970 fsuid=970 egid=967 sgid=967 fsgid=967 tty=(none) ses=4294967295 comm=lighttpd exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: lighttpd,httpd_t,httpd_var_lib_t,sock_file,create Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.3.5-300.fc23.x86_64 type: libreport
No reason to block this, although sock files should really go under /run rather then in /var/lib.
In the default configuration, sockets end-up in home_dir + "/sockets" rather that state_dir + "/sockets". SELinux seems fine for sockets in /var/run/lighttpd/sockets.
Right so we should fix lighttpd to put its sockets into /run by default.
Created attachment 1129597 [details] Patch for lighttpd.conf
That's the best thing to do!
Hi, As Dan wrote, this is more lighttpd issue then SELinux policy issue. Could you move sockets into /run by default? Thank you!.
Just a rectification, sockets should end-up in '/run/lighttpd/sockets' and I would advise to move 'lighttpd.pid' in '/run/lighttpd' for more consistency.