Bug 256421 - SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files mibs (usr_t)
Summary: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled f...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: All
OS: All
medium
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-08-27 13:47 UTC by Stephanos Manos
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-13 13:50:06 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Stephanos Manos 2007-08-27 13:47:06 UTC 
Description of problem:
when starting httpd i get the following allert
Summary
    SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled
    files mibs (usr_t).

Detailed Description
    SELinux has denied the /usr/sbin/httpd access to potentially mislabeled
    files mibs.  This means that SELinux will not allow http to use these files.
    Many third party apps install html files in directories that SELinux policy
    can not predict.  These directories have to be labeled with a file context
    which httpd can accesss.

Allowing Access
    If you want to change the file context of mibs so that the httpd daemon can
    access it, you need to execute it using chcon -t httpd_sys_content_t mibs.
    You can look at the httpd_selinux man page for additional information.

Additional Information        

Source Context                user_u:system_r:httpd_t
Target Context                system_u:object_r:usr_t
Target Objects                mibs [ dir ]
Affected RPM Packages         httpd-2.2.4-4.1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-38.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_bad_labels
Host Name                     viper.myhome-net.net
Platform                      Linux viper.myhome-net.net 2.6.22.4-65.fc7 #1 SMP
                              Tue Aug 21 22:36:56 EDT 2007 i686 i686
Alert Count                   3
First Seen                    Wed 22 Aug 2007 03:08:01 AM EEST
Last Seen                     Mon 27 Aug 2007 01:36:48 PM EEST
Local ID                      bd280476-d164-4641-af73-b03804fe43d1
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="httpd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="mibs"
pid=3821 scontext=user_u:system_r:httpd_t:s0 sgid=0
subj=user_u:system_r:httpd_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0


Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-38.fc7

How reproducible:
Always
Comment 1 Stephanos Manos 2007-08-27 13:54:40 UTC 
Same error message with selinux-policy-2.6.4-40.fc7 from updates-testing
Comment 2 Daniel Walsh 2007-08-27 13:59:44 UTC 
Fixed in selinux-policy-2.6.4-41.fc7
Comment 3 Stephanos Manos 2007-09-08 11:26:57 UTC 
updated to selinux-policy-2.6.4-41.fc7 from updates-testing.
It seems to be fixed.

But the new policy gives the following error

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /usr/local/Brother/lpd(/.*)? 
(system_u:object_r:cupsd_exec_t:s0 and system_u:object_r:bin_t:s0).

Should i open a new bz for this?
Comment 4 Daniel Walsh 2007-09-11 19:06:09 UTC 
No I am putting out 42 to fix this.  Thanks for catching it.
Comment 5 Stephanos Manos 2007-09-13 06:41:53 UTC 
Fixed.
Note You need to log in before you can comment on or make changes to this bug.