Red Hat Bugzilla – Bug 588995
SELinux prevented httpd (/usr/sbin/httpd) write access to settings.php.
Last modified: 2010-12-15 22:42:40 EST
Summary: SELinux prevented httpd (/usr/sbin/httpd) write access to settings.php. Detailed Description: SELinux prevented httpd write access to settings.php. httpd scripts are not allowed to write to content without explicit labeling of all files. If settings.php is writable content. it needs to be labeled httpd_sys_content_rw_t or if all you need is append you can label it httpd_sys_content_ra_t. Please refer to 'man httpd_selinux' for more information on setting up httpd and selinux. Allowing Access: You can alter the file context by executing chcon -R -t httpd_sys_content_rw_t 'settings.php' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t httpd_sys_content_rw_t 'settings.php'" Fix Command: chcon -R -t httpd_sys_content_rw_t 'settings.php' Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_sys_content_t:s0 Target Objects settings.php [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.15-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-10.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_write_content Host Name (removed) Platform Linux (removed) 2.6.33.3-72.fc13.x86_64 #1 SMP Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64 Alert Count 10 First Seen Tue 04 May 2010 10:54:01 PM CDT Last Seen Tue 04 May 2010 11:10:33 PM CDT Local ID 3fe96339-dd90-4b9b-8ac7-2f1e069002ef Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1273032633.435:32935): avc: denied { write } for pid=2997 comm="httpd" name="settings.php" dev=dm-0 ino=132528 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1273032633.435:32935): arch=c000003e syscall=21 success=no exit=-13 a0=7f0d702bef10 a1=2 a2=0 a3=7f0d6faa3690 items=0 ppid=2918 pid=2997 auid=4294967295 uid=48 gid=487 euid=48 suid=48 fsuid=48 egid=487 sgid=487 fsgid=487 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_write_content,httpd,httpd_t,httpd_sys_content_t,file,write audit2allow suggests: #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:file write;
Where is the settings.php file located? It should be labeled as httpd_sys_content_rw_t.
(In reply to comment #1) > Where is the settings.php file located? It should be labeled as > httpd_sys_content_rw_t. /etc/drupal/default/settings.php This is the default location of the file when drupal in installed via yum. Not sure if putting the file in /etc by default is an over-site or not but drupal will not work with selinux running. p.s. I also tried another drupal install with he settings file at /var/www/html/sites/default/settings.php with the same outcome.
Ok, what is your output these commands? # ls -Z /etc/drupal/default/settings.php # matchpathcon /etc/drupal/default/settings.php
restorecon -R -v /etc/drupal Will fix the labels. Similarly restorecon -R -v /var/www/html/sites speamr18 SELinux is all about the labels not necessarily the location. man httpd_selinux Will explain the labels httpd expects.