Description of problem: I just started caddy. SELinux is preventing caddy from 'read' accesses on the file /proc/sys/net/core/somaxconn. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that caddy should be allowed read access on the somaxconn file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'caddy' --raw | audit2allow -M my-caddy # semodule -X 300 -i my-caddy.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:sysctl_net_t:s0 Target Objects /proc/sys/net/core/somaxconn [ file ] Source caddy Source Path caddy Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.14-1.fc36.noarch Local Policy RPM selinux-policy-targeted-36.14-1.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.19.4-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Aug 25 17:42:04 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-08-31 02:34:49 CDT Last Seen 2022-08-31 02:34:49 CDT Local ID 151f5189-44ee-4e43-94f2-5b1fe1d77c3b Raw Audit Messages type=AVC msg=audit(1661931289.0:328): avc: denied { read } for pid=1907 comm="caddy" name="somaxconn" dev="proc" ino=30819 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 Hash: caddy,httpd_t,sysctl_net_t,file,read Version-Release number of selected component: selinux-policy-targeted-36.14-1.fc36.noarch Additional info: component: selinux-policy reporter: libreport-2.17.2 hashmarkername: setroubleshoot kernel: 5.19.4-200.fc36.x86_64 type: libreport
Full denials: ---- type=PROCTITLE msg=audit(08/31/2022 07:28:15.374:315) : proctitle=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile type=PATH msg=audit(08/31/2022 07:28:15.374:315) : item=0 name=/proc/sys/net/core/somaxconn inode=18051 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/31/2022 07:28:15.374:315) : cwd=/ type=SYSCALL msg=audit(08/31/2022 07:28:15.374:315) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xc00036e160 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1677 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(08/31/2022 07:28:15.374:315) : avc: denied { read } for pid=1677 comm=caddy name=somaxconn dev="proc" ino=18051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(08/31/2022 07:29:44.819:320) : proctitle=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile type=PATH msg=audit(08/31/2022 07:29:44.819:320) : item=0 name=/proc/sys/net/core/somaxconn inode=18051 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(08/31/2022 07:29:44.819:320) : cwd=/ type=SYSCALL msg=audit(08/31/2022 07:29:44.819:320) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xc00028f480 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1759 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(08/31/2022 07:29:44.819:320) : avc: denied { open } for pid=1759 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=18051 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
There are 2 services in the caddy package: # rpm -ql caddy | grep service /usr/lib/systemd/system/caddy-api.service /usr/lib/systemd/system/caddy.service # Both of them trigger the same SELinux denials. Enforcing mode: ---- type=PROCTITLE msg=audit(09/05/2022 15:03:21.222:435) : proctitle=/usr/bin/caddy run --environ --resume type=PATH msg=audit(09/05/2022 15:03:21.222:435) : item=0 name=/proc/sys/net/core/somaxconn inode=28391 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/05/2022 15:03:21.222:435) : cwd=/ type=SYSCALL msg=audit(09/05/2022 15:03:21.222:435) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xc00029cda0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1816 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(09/05/2022 15:03:21.222:435) : avc: denied { read } for pid=1816 comm=caddy name=somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 ---- Permissive mode: ---- type=PROCTITLE msg=audit(09/05/2022 15:03:53.634:444) : proctitle=/usr/bin/caddy run --environ --resume type=PATH msg=audit(09/05/2022 15:03:53.634:444) : item=0 name=/proc/sys/net/core/somaxconn inode=28391 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_net_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/05/2022 15:03:53.634:444) : cwd=/ type=SYSCALL msg=audit(09/05/2022 15:03:53.634:444) : arch=x86_64 syscall=openat success=yes exit=8 a0=AT_FDCWD a1=0xc000098c80 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=1856 auid=unset uid=caddy gid=caddy euid=caddy suid=caddy fsuid=caddy egid=caddy sgid=caddy fsgid=caddy tty=(none) ses=unset comm=caddy exe=/usr/bin/caddy subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc: denied { open } for pid=1856 comm=caddy path=/proc/sys/net/core/somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 type=AVC msg=audit(09/05/2022 15:03:53.634:444) : avc: denied { read } for pid=1856 comm=caddy name=somaxconn dev="proc" ino=28391 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1 ---- # rpm -qa selinux\* caddy\* | sort caddy-2.4.6-4.fc36.x86_64 selinux-policy-36.14-1.fc36.noarch selinux-policy-devel-36.14-1.fc36.noarch selinux-policy-targeted-36.14-1.fc36.noarch #
FEDORA-2022-096f7730be has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be
FEDORA-2022-096f7730be has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-096f7730be` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-096f7730be See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-096f7730be has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.