Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files ZendDiskStorageDir. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the httpd access to potentially mislabeled files ZendDiskStorageDir. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_lib_t, httpd_var_run_t, var_lock_t, tmp_t, var_t, squirrelmail_spool_t, httpd_log_t, httpd_rw_content, tmpfs_t, httpd_cache_t, httpd_tmpfs_t, httpdcontent, var_lib_t, var_run_t, httpd_tmp_t, httpd_squirrelmail_t, var_log_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_sys_content_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of ZendDiskStorageDir so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'ZendDiskStorageDir'. where FILE_TYPE is one of the following: httpd_var_lib_t, httpd_var_run_t, var_lock_t, tmp_t, var_t, squirrelmail_spool_t, httpd_log_t, httpd_rw_content, tmpfs_t, httpd_cache_t, httpd_tmpfs_t, httpdcontent, var_lib_t, var_run_t, httpd_tmp_t, httpd_squirrelmail_t, var_log_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_sys_content_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:unlabeled_t:s0 Target Objects ZendDiskStorageDir [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-114.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Alert Count 2 First Seen Wed 19 May 2010 11:37:43 PM MYT Last Seen Wed 19 May 2010 11:37:43 PM MYT Local ID 617464d4-2d4c-4bfe-abcd-f337d5c6817e Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274283463.217:25778): avc: denied { add_name } for pid=6468 comm="httpd" name="ZendDiskStorageDir" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir node=(removed) type=AVC msg=audit(1274283463.217:25778): avc: denied { create } for pid=6468 comm="httpd" name="ZendDiskStorageDir" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1274283463.217:25778): arch=40000003 syscall=39 success=yes exit=0 a0=b352a8e8 a1=1fc a2=b335e6f4 a3=b335f2a0 items=0 ppid=1 pid=6468 auid=500 uid=0 gid=0 euid=48 suid=0 fsuid=48 egid=489 sgid=0 fsgid=489 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,unlabeled_t,dir,add_name audit2allow suggests: #============= httpd_t ============== allow httpd_t unlabeled_t:dir { create add_name };
*** Bug 593868 has been marked as a duplicate of this bug. ***
Where is 'ZendDiskStorageDir' located? Did you try to set up file context on it?
/usr/local/zend/tmp/datacache
Is this a disk from a non SELinux box? restorecon -R -v /usr/local Should add labels.
done.
Does it work now.
Unable to remove [root@localhost spyworld]# yum remove zend-server Loaded plugins: presto, refresh-packagekit Setting up Remove Process Resolving Dependencies --> Running transaction check ---> Package zend-server-php-5.2.noarch 0:5.0-15 set to be erased --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Removing: zend-server-php-5.2 noarch 5.0-15 @Zend_noarch 0.0 Transaction Summary ================================================================================ Remove 1 Package(s) Reinstall 0 Package(s) Downgrade 0 Package(s) Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Error in PREUN scriptlet in rpm package zend-server-php-5.2 [root@localhost spyworld]#
I don't think this has anything to do with SELinux.