How reproducible: On a Enterprise RHEL5 Server with SELinux policy targeted(21) enabled in enfoecing mode when i start/stop/restart httpd (/etc/init.d/httpd start/stop) I get the below alert. Summary SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to <Unknown> (httpd_t). Detailed Description SELinux denied access requested by /usr/sbin/httpd. It is not expected that this access is required by /usr/sbin/httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown>. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "httpd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P httpd_disable_trans=1." The following command will allow this access: setsebool -P httpd_disable_trans=1 Additional Information Source Context root:system_r:httpd_t Target Context root:system_r:httpd_t Target Objects None [ capability ] Affected RPM Packages httpd-2.2.3-6.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name Rhel5.test.com Platform Linux Rhel5.test.com 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:14 EST 2007 x86_64 x86_64 Alert Count 2 Line Numbers Raw Audit Messages avc: denied { sys_nice } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=8682 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=capability tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0 Additional info:
Fixed in selinux-policy-2.4.6-89.el5 This is the U1 policy. Preview release available on http://people.redhat.com/dwalsh/SELinux/RHEL5