Summary: SELinux is preventing /usr/bin/mono from using potentially mislabeled files inotify. Detailed Description: SELinux has denied the mono access to potentially mislabeled files inotify. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, var_run_t, public_content_t, sysctl_kernel_t, httpd_modules_t, mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, var_lock_t, bin_t, cert_t, httpd_t, lib_t, mnt_t, tmp_t, usr_t, var_t, public_content_rw_t, nagios_etc_t, mailman_data_t, squirrelmail_spool_t, fonts_cache_t, httpd_rw_content, device_t, devpts_t, locale_t, etc_t, fonts_t, httpd_ro_content, proc_t, src_t, sysfs_t, tmpfs_t, calamaris_www_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, httpd_config_t, abrt_t, httpdcontent, var_lib_t, var_run_t, lib_t, root_t, configfile, udev_tbl_t, sysctl_crypto_t, httpd_tmp_t, mysqld_etc_t, cvs_data_t, dbusd_etc_t, httpd_squirrelmail_t, device_t, etc_t, var_log_t, httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t, httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, root_t, httpd_prewikka_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, nscd_var_run_t, httpd_apcupsd_cgi_content_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_sys_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_user_script_exec_t, device_t, devpts_t, httpd_bugzilla_content_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, device_t, devpts_t, httpd_nutups_cgi_content_t, httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_git_script_exec_t, httpdcontent, httpd_cvs_script_exec_t, httpd_prewikka_script_exec_t, httpd_munin_content_ra_t, httpd_munin_content_rw_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_nagios_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of inotify so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'inotify'. where FILE_TYPE is one of the following: var_run_t, public_content_t, sysctl_kernel_t, httpd_modules_t, mailman_archive_t, httpd_var_lib_t, httpd_var_run_t, var_lock_t, bin_t, cert_t, httpd_t, lib_t, mnt_t, tmp_t, usr_t, var_t, public_content_rw_t, nagios_etc_t, mailman_data_t, squirrelmail_spool_t, fonts_cache_t, httpd_rw_content, device_t, devpts_t, locale_t, etc_t, fonts_t, httpd_ro_content, proc_t, src_t, sysfs_t, tmpfs_t, calamaris_www_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, httpd_config_t, abrt_t, httpdcontent, var_lib_t, var_run_t, lib_t, root_t, configfile, udev_tbl_t, sysctl_crypto_t, httpd_tmp_t, mysqld_etc_t, cvs_data_t, dbusd_etc_t, httpd_squirrelmail_t, device_t, etc_t, var_log_t, httpd_w3c_validator_content_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t, httpd_git_content_t, httpd_user_content_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, root_t, httpd_prewikka_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, nscd_var_run_t, httpd_apcupsd_cgi_content_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_nagios_script_exec_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_sys_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_user_script_exec_t, device_t, devpts_t, httpd_bugzilla_content_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_bugzilla_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_squid_script_exec_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, device_t, devpts_t, httpd_nutups_cgi_content_t, httpd_awstats_content_t, httpd_sys_script_exec_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_git_script_exec_t, httpdcontent, httpd_cvs_script_exec_t, httpd_prewikka_script_exec_t, httpd_munin_content_ra_t, httpd_munin_content_rw_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nutups_cgi_script_exec_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_nagios_content_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:inotifyfs_t:s0 Target Objects inotify [ dir ] Source mono Source Path /usr/bin/mono Port <Unknown> Host (removed) Source RPM Packages mono-core-2.4.3.1-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-73.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 Alert Count 595 First Seen Sun 31 Jan 2010 08:35:44 PM EST Last Seen Sun 31 Jan 2010 08:46:58 PM EST Local ID 191e7f33-9570-4845-90e3-0fcc388ae8fe Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1264988818.164:71493): avc: denied { read } for pid=16893 comm="mono" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1264988818.164:71493): arch=c000003e syscall=0 success=no exit=-13 a0=8 a1=7f24237a6020 a2=1000 a3=0 items=0 ppid=1 pid=16893 auid=500 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm="mono" exe="/usr/bin/mono" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-73.fc12,httpd_bad_labels,mono,httpd_t,inotifyfs_t,dir,read audit2allow suggests: #============= httpd_t ============== allow httpd_t inotifyfs_t:dir read;
Are you running mono as a cgi?
mono is running through mod_mono; default configuration from RPM.
Miroslav, Just add fs_list_inotifyfs(httpd_t)
Fixed in selinux-policy-3.6.32-81.fc12
selinux-policy-3.6.32-82.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-82.fc12
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-1492
selinux-policy-3.6.32-84.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.