## My system setup: I'm using lighttpd 1.4.39 on Fedora 23 (64-bit). I have selinux-policy 3.13.1 Lighttpd uses a very simple config file, meant to just serve static web pages, on port 3000. ## My use case: I'm only using Lighttpd on my desktop to test static web pages before I push them to my web host. I *could* call Lighttpd directly from the terminal, but either I let the process daemonize, in which case I have to `ps | grep` for the process id to kill lighttpd when I'm done -- or I prevent it from daemonizing, and then open an extra terminal for while I'm working. I like being able to simply start and stop lighttpd using systemctl instead. And I created a user service file (a .service file in ~/.config/systemd/user/) so that I wouldn't have to enter my sudo passphrase every time. ## The problem Starting lighttpd directly in the commandline, or starting the system service file, seems to work fine. But starting the user service file is blocked by SELinux: SELinux is preventing lighttpd from read access on the file lighttpd.conf. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow lighttpd to have read access on the lighttpd.conf file Then you need to change the label on lighttpd.conf Do # semanage fcontext -a -t FILE_TYPE 'lighttpd.conf' where FILE_TYPE is one of the following: ... Then execute: restorecon -v 'lighttpd.conf' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that lighttpd should be allowed read access on the lighttpd.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep lighttpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:mnt_t:s0 Target Objects lighttpd.conf [ file ] Source lighttpd Source Path lighttpd Port <Unknown> Host desktop Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-158.11.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name desktop Platform Linux desktop 4.4.6-300.fc23.x86_64 #1 SMP Wed Mar 16 22:10:37 UTC 2016 x86_64 x86_64 Alert Count 16 First Seen 2016-03-30 17:30:56 PDT Last Seen 2016-03-30 17:32:14 PDT Local ID 9a78527f-7994-461c-b95a-430daabf82c5 Raw Audit Messages type=AVC msg=audit(1459384334.754:523): avc: denied { read } for pid=31088 comm="lighttpd" name="lighttpd.conf" dev="sdd1" ino=32899336 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:mnt_t:s0 tclass=file permissive=0 Hash: lighttpd,httpd_t,mnt_t,file,read
Hi, If you want to use lighttpd with proper SELinux context, you need to start the service using systemctl. To fix this issue you need to setup proper SELinux context on lighttpd.conf file. Where is lighttpd.conf file stored in your case? Thank you.
I *am* starting Lighttpd with systemctl, as a user service file. lighttpd.conf is in the same directory where I write my static website templates, on a secondary internal hard drive mounted under /media.
I see, Problem here is that you need to change context for lighttpd.conf file. Please run: # semanage fcontext -a -t httpd_config_t /PATHTO/lighttpd.conf # restorecon -v /PATHTO/lighttpd.conf Also, your website templates should have httpd_sys_content_t context. Closing as NOTABUG.