Bug 597971 - SELinux prevented httpd (/usr/sbin/httpd) write access to configs.
SELinux prevented httpd (/usr/sbin/httpd) write access to configs.
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:986b83374f2...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-31 02:37 EDT by Clement
Modified: 2010-11-21 03:39 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-31 05:17:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Clement 2010-05-31 02:37:22 EDT
Summary:

SELinux prevented httpd (/usr/sbin/httpd) write access to configs.

Detailed Description:

SELinux prevented httpd write access to configs. httpd scripts are not allowed
to write to content without explicit labeling of all files. If configs is
writable content. it needs to be labeled httpd_sys_content_rw_t or if all you
need is append you can label it httpd_sys_content_ra_t. Please refer to 'man
httpd_selinux' for more information on setting up httpd and selinux.

Allowing Access:

You can alter the file context by executing chcon -R -t httpd_sys_content_rw_t
'configs' You must also change the default file context files on the system in
order to preserve them even on a full relabel. "semanage fcontext -a -t
httpd_sys_content_rw_t 'configs'"

Fix Command:

chcon -R -t httpd_sys_content_rw_t 'configs'

Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects                configs [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.2.15-1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-21.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_write_content
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.4-95.fc13.i686.PAE #1 SMP
                              Thu May 13 05:38:26 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Mon 31 May 2010 10:34:20 PM MYT
Last Seen                     Mon 31 May 2010 10:34:20 PM MYT
Local ID                      99ef0064-1d8f-4a01-b37b-a84186754b37
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1275316460.254:101): avc:  denied  { write } for  pid=1641 comm="httpd" name="configs" dev=sda1 ino=3015148 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1275316460.254:101): arch=40000003 syscall=5 success=no exit=-13 a0=b7181a98 a1=241 a2=1b6 a3=b7181a98 items=0 ppid=1599 pid=1641 auid=4294967295 uid=48 gid=486 euid=48 suid=48 fsuid=48 egid=486 sgid=486 fsgid=486 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  httpd_write_content,httpd,httpd_t,httpd_sys_content_t,dir,write
audit2allow suggests:

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_sys_content_t:dir write;
Comment 1 Miroslav Grepl 2010-05-31 05:17:52 EDT
Where is 'configs' directory located? 


You need to label the "configs" directory as apache content, as the alert tells you. 

# chcon -R -t httpd_sys_content_rw_t  /PATHTO/configs
 
To make this permanent

# semanage fcontext -a -t httpd_sys_content_rw_t  /PATHTO/configs
Comment 2 Clement 2010-05-31 08:20:04 EDT
My apache? httpd configuration is locate at /etc/httpd
Comment 3 Daniel Walsh 2010-06-01 10:15:02 EDT
Do you have a non standard director configs in this directory that apache needs to write to.

You could set it to a context that the daemon can write to using the command

# semanage fcontext -a -t httpd_sys_content_rw_t '/etc/httpd/configs(/.*)?'
# restorecon -R -v /etc/httpd/
Comment 4 Jiri Kastner 2010-09-07 03:17:25 EDT
i noticed this selinux problem after installing spacewalk on fedora 13.

Note You need to log in before you can comment on or make changes to this bug.