Bug 284361 - SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to <Unknown> (httpd_t)
SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to <Unknow...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-10 04:45 EDT by manoj
Modified: 2008-03-05 17:01 EST (History)
1 user (show)

See Also:
Fixed In Version: 5.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-05 17:01:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description manoj 2007-09-10 04:45:19 EDT
How reproducible:

On a Enterprise RHEL5 Server with SELinux policy targeted(21) enabled in
enfoecing mode when i start/stop/restart httpd (/etc/init.d/httpd start/stop)
I get the below alert.

Summary
    SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to
    <Unknown> (httpd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/httpd. It is not expected that
    this access is required by /usr/sbin/httpd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "httpd_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P httpd_disable_trans=1."

    The following command will allow this access:
    setsebool -P httpd_disable_trans=1

Additional Information        

Source Context                root:system_r:httpd_t
Target Context                root:system_r:httpd_t
Target Objects                None [ capability ]
Affected RPM Packages         httpd-2.2.3-6.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     Rhel5.test.com
Platform                      Linux Rhel5.test.com 2.6.18-8.el5 #1 SMP Fri Jan
                              26 14:15:14 EST 2007 x86_64 x86_64
Alert Count                   2
Line Numbers                  

Raw Audit Messages            

avc: denied { sys_nice } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=8682 scontext=root:system_r:httpd_t:s0
sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=capability
tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0



Additional info:
Comment 1 Daniel Walsh 2007-09-11 08:47:07 EDT
Fixed in selinux-policy-2.4.6-89.el5

This is the U1 policy.  

Preview release available on http://people.redhat.com/dwalsh/SELinux/RHEL5

Note You need to log in before you can comment on or make changes to this bug.