Περίληψη: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files config.inc.php. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the httpd access to potentially mislabeled files config.inc.php. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_lib_t, httpd_var_run_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_squirrelmail_t, httpd_squid_content_rw_t, root_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t, httpdcontent, httpd_munin_content_rw_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of config.inc.php so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'config.inc.php'. where FILE_TYPE is one of the following: httpd_var_lib_t, httpd_var_run_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpd_tmp_t, httpd_squirrelmail_t, httpd_squid_content_rw_t, root_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t, httpdcontent, httpd_munin_content_rw_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects config.inc.php [ file ] Source httpd Source Path /usr/sbin/httpd Θύρα <Άγνωστο> Host (removed) Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-84.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Δευ 15 Φεβ 2010 06:58:09 πμ EET Last Seen Δευ 15 Φεβ 2010 06:58:09 πμ EET Local ID 3e6f42b1-4d7e-45ef-8ee1-0d7da9237d5a Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1266209889.555:45): avc: denied { create } for pid=2834 comm="httpd" name="config.inc.php" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=(removed) type=AVC msg=audit(1266209889.555:45): avc: denied { write } for pid=2834 comm="httpd" name="config.inc.php" dev=dm-1 ino=28574156 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1266209889.555:45): arch=c000003e syscall=2 success=yes exit=13 a0=7f6ca861a9f8 a1=241 a2=1b6 a3=6e6f632f6769666e items=0 ppid=2569 pid=2834 auid=4294967295 uid=48 gid=493 euid=48 suid=48 fsuid=48 egid=493 sgid=493 fsgid=493 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,usr_t,file,create audit2allow suggests: #============= httpd_t ============== allow httpd_t usr_t:file { write create };
*** Bug 565513 has been marked as a duplicate of this bug. ***
Where is config.inc.php file located ?
It's located in /etc/phpMyAdmin/config.inc.php and /usr/share/phpMyAdmin/config.inc.php. I'm not sure which one was raising the selinux alert. However I don't get this alert anymore, I suppose the latest selinux policy update fixed the problem.
No most likely since you were in permissive mode the file was allowed to be created and now the tool is not creating it anymore. I would figure it is in /usr/share/phpMyAdmin/config.inc.php since this would be labelled usr_t. You could add a label of httpd_sys_content_rw_t on this directory and allow this access. # semanage fcontext -a httpd_sys_content_rw_t '/usr/share/phpMyAdmin(/.*)?' # restorecon -R -v /usr/share/phpMyAdmin Will fix and allow this for now on.