Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files wsgi.6317.0.1.sock. Detailed Description: SELinux has denied the httpd access to potentially mislabeled files wsgi.6317.0.1.sock. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_run_t, httpd_tmpfs_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of wsgi.6317.0.1.sock so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'wsgi.6317.0.1.sock'. where FILE_TYPE is one of the following: httpd_var_run_t, httpd_tmpfs_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_log_t:s0 Target Objects wsgi.6317.0.1.sock [ sock_file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-103.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux fedora.org 2.6.32.9-70.fc12.i686 #1 SMP Wed Mar 3 05:14:32 UTC 2010 i686 i686 Alert Count 1 First Seen Mon 29 Mar 2010 04:22:17 AM BRT Last Seen Mon 29 Mar 2010 04:22:17 AM BRT Local ID f035f111-a41c-4b8f-ac28-6757f894ddcf Line Numbers Raw Audit Messages node=fedora.org type=AVC msg=audit(1269847337.127:65): avc: denied { create } for pid=6317 comm="httpd" name="wsgi.6317.0.1.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=sock_file node=fedora.org type=SYSCALL msg=audit(1269847337.127:65): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf960ca0 a2=7dc530 a3=9 items=0 ppid=1 pid=6317 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,httpd_log_t,sock_file,create audit2allow suggests: #============= httpd_t ============== allow httpd_t httpd_log_t:sock_file create;
This socket should be moved to a directory that makes sense under /var/run/httpd? or /var/run/wsgi/
# grep wsgi /var/log/audit/audit.log | audit2allow -M mywsgi # semodule -i mywsgi.pp
where are you putting the wsgi sock file? in rhel 5.4, there are rules for /var/run/wsgi.* to be httpd_var_run_t # semanage fcontext -l | grep httpd_var_run_t /var/run/mod_.* all files system_u:object_r:httpd_var_run_t:s0 /var/run/wsgi.* socket system_u:object_r:httpd_var_run_t:s0 /var/run/httpd.* all files system_u:object_r:httpd_var_run_t:s0 /var/run/apache.* all files system_u:object_r:httpd_var_run_t:s0 /var/run/lighttpd(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /opt/fortitude/run(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/lib/php/session(/.*)? all files system_u:object_r:httpd_var_run_t:s0 /var/run/gcache_port socket system_u:object_r:httpd_var_run_t:s0 What do you have for WSGISocketPrefix in your configuration file? I'd recommend that you use: WSGISocketPrefix run/mod_wsgi
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping