Bug 256421 - SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files mibs (usr_t)
Summary: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled f...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 7
Hardware: All
OS: All
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-08-27 13:47 UTC by Stephanos Manos
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-13 13:50:06 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Stephanos Manos 2007-08-27 13:47:06 UTC
Description of problem:
when starting httpd i get the following allert
    SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled
    files mibs (usr_t).

Detailed Description
    SELinux has denied the /usr/sbin/httpd access to potentially mislabeled
    files mibs.  This means that SELinux will not allow http to use these files.
    Many third party apps install html files in directories that SELinux policy
    can not predict.  These directories have to be labeled with a file context
    which httpd can accesss.

Allowing Access
    If you want to change the file context of mibs so that the httpd daemon can
    access it, you need to execute it using chcon -t httpd_sys_content_t mibs.
    You can look at the httpd_selinux man page for additional information.

Additional Information        

Source Context                user_u:system_r:httpd_t
Target Context                system_u:object_r:usr_t
Target Objects                mibs [ dir ]
Affected RPM Packages         httpd-2.2.4-4.1.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-38.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_bad_labels
Host Name                     viper.myhome-net.net
Platform                      Linux viper.myhome-net.net #1 SMP
                              Tue Aug 21 22:36:56 EDT 2007 i686 i686
Alert Count                   3
First Seen                    Wed 22 Aug 2007 03:08:01 AM EEST
Last Seen                     Mon 27 Aug 2007 01:36:48 PM EEST
Local ID                      bd280476-d164-4641-af73-b03804fe43d1
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="httpd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="mibs"
pid=3821 scontext=user_u:system_r:httpd_t:s0 sgid=0
subj=user_u:system_r:httpd_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0

Version-Release number of selected component (if applicable):

How reproducible:

Comment 1 Stephanos Manos 2007-08-27 13:54:40 UTC
Same error message with selinux-policy-2.6.4-40.fc7 from updates-testing

Comment 2 Daniel Walsh 2007-08-27 13:59:44 UTC
Fixed in selinux-policy-2.6.4-41.fc7

Comment 3 Stephanos Manos 2007-09-08 11:26:57 UTC
updated to selinux-policy-2.6.4-41.fc7 from updates-testing.
It seems to be fixed.

But the new policy gives the following error

/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /usr/local/Brother/lpd(/.*)? 
(system_u:object_r:cupsd_exec_t:s0 and system_u:object_r:bin_t:s0).

Should i open a new bz for this?

Comment 4 Daniel Walsh 2007-09-11 19:06:09 UTC
No I am putting out 42 to fix this.  Thanks for catching it.

Comment 5 Stephanos Manos 2007-09-13 06:41:53 UTC

Note You need to log in before you can comment on or make changes to this bug.