Summary: SELinux prevented httpd (/usr/sbin/httpd) write access to configs. Detailed Description: SELinux prevented httpd write access to configs. httpd scripts are not allowed to write to content without explicit labeling of all files. If configs is writable content. it needs to be labeled httpd_sys_content_rw_t or if all you need is append you can label it httpd_sys_content_ra_t. Please refer to 'man httpd_selinux' for more information on setting up httpd and selinux. Allowing Access: You can alter the file context by executing chcon -R -t httpd_sys_content_rw_t 'configs' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t httpd_sys_content_rw_t 'configs'" Fix Command: chcon -R -t httpd_sys_content_rw_t 'configs' Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_sys_content_t:s0 Target Objects configs [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.15-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-21.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_write_content Host Name (removed) Platform Linux (removed) 2.6.33.4-95.fc13.i686.PAE #1 SMP Thu May 13 05:38:26 UTC 2010 i686 i686 Alert Count 1 First Seen Mon 31 May 2010 10:34:20 PM MYT Last Seen Mon 31 May 2010 10:34:20 PM MYT Local ID 99ef0064-1d8f-4a01-b37b-a84186754b37 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1275316460.254:101): avc: denied { write } for pid=1641 comm="httpd" name="configs" dev=sda1 ino=3015148 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1275316460.254:101): arch=40000003 syscall=5 success=no exit=-13 a0=b7181a98 a1=241 a2=1b6 a3=b7181a98 items=0 ppid=1599 pid=1641 auid=4294967295 uid=48 gid=486 euid=48 suid=48 fsuid=48 egid=486 sgid=486 fsgid=486 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_write_content,httpd,httpd_t,httpd_sys_content_t,dir,write audit2allow suggests: #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:dir write;
Where is 'configs' directory located? You need to label the "configs" directory as apache content, as the alert tells you. # chcon -R -t httpd_sys_content_rw_t /PATHTO/configs To make this permanent # semanage fcontext -a -t httpd_sys_content_rw_t /PATHTO/configs
My apache? httpd configuration is locate at /etc/httpd
Do you have a non standard director configs in this directory that apache needs to write to. You could set it to a context that the daemon can write to using the command # semanage fcontext -a -t httpd_sys_content_rw_t '/etc/httpd/configs(/.*)?' # restorecon -R -v /etc/httpd/
i noticed this selinux problem after installing spacewalk on fedora 13.