Summary: SELinux is preventing /usr/bin/perl from using potentially mislabeled files /var/www. Detailed Description: SELinux has denied the editparams.cgi access to potentially mislabeled files /var/www. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, lib_t, mnt_t, root_t, public_content_t, usr_t, var_t, home_root_t, sysctl_crypto_t, mysqld_db_t, etc_runtime_t, mysqld_var_run_t, nscd_var_run_t, rpm_script_tmp_t, bin_t, device_t, lib_t, security_t, etc_t, tmp_t, usr_t, var_t, proc_t, default_t, public_content_rw_t, var_run_t, httpd_bugzilla_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_t, httpd_bugzilla_script_exec_t, httpd_log_t, device_t, etc_t, fonts_t, var_lib_t, var_run_t, configfile, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, var_log_t, setrans_var_run_t, net_conf_t, sysctl_t, bin_t, etc_runtime_t, lib_t, usr_t, device_t, locale_t, etc_t, proc_t, src_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/www so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/var/www'. where FILE_TYPE is one of the following: lib_t, mnt_t, root_t, public_content_t, usr_t, var_t, home_root_t, sysctl_crypto_t, mysqld_db_t, etc_runtime_t, mysqld_var_run_t, nscd_var_run_t, rpm_script_tmp_t, bin_t, device_t, lib_t, security_t, etc_t, tmp_t, usr_t, var_t, proc_t, default_t, public_content_rw_t, var_run_t, httpd_bugzilla_content_t, httpd_bugzilla_tmp_t, httpd_bugzilla_script_t, httpd_bugzilla_script_exec_t, httpd_log_t, device_t, etc_t, fonts_t, var_lib_t, var_run_t, configfile, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, var_log_t, setrans_var_run_t, net_conf_t, sysctl_t, bin_t, etc_runtime_t, lib_t, usr_t, device_t, locale_t, etc_t, proc_t, src_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context system_u:system_r:httpd_bugzilla_script_t:SystemLo w Target Context system_u:object_r:httpd_sys_content_t:SystemLow Target Objects /var/www [ dir ] Source editparams.cgi Source Path /usr/bin/perl Port <Unknown> Host (removed) Source RPM Packages perl-5.10.0-82.fc12 Target RPM Packages httpd-2.2.14-1.fc12 Policy RPM selinux-policy-3.6.32-59.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31.9-174.fc12.i686.PAE #1 SMP Mon Dec 21 06:04:56 UTC 2009 i686 i686 Alert Count 2 First Seen Mon 04 Jan 2010 08:41:21 PM EST Last Seen Mon 04 Jan 2010 08:41:42 PM EST Local ID e19dabe9-2575-4513-97b6-4befa8fd6fda Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1262655702.37:161): avc: denied { search } for pid=5980 comm="editparams.cgi" name="www" dev=dm-1 ino=24580 scontext=system_u:system_r:httpd_bugzilla_script_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1262655702.37:161): arch=40000003 syscall=195 success=no exit=-13 a0=8c1554c a1=8ac50c0 a2=894ff4 a3=8ac5008 items=0 ppid=2074 pid=5980 auid=4294967295 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=4294967295 comm="editparams.cgi" exe="/usr/bin/perl" subj=system_u:system_r:httpd_bugzilla_script_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-59.fc12,httpd_bad_labels,editparams.cgi,httpd_bugzilla_script_t,httpd_sys_content_t,dir,search audit2allow suggests: audit2allow is not installed.
Miroslav, Add gen_required(` type httpd_sys_content_t; ') tunable_policy(`httpd_builtin_scripting',` allow httpd_$1_script_t httpd_sys_content_t:dir search_dir_perms; ') to apache_content_template Might need this in F11 also.
John, You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Fixed in selinux-policy-3.6.32-67.fc12.noarch and also added to selinux-policy-3.6.12-93.fc11.noarch
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0362
selinux-policy-3.6.32-69.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.