Summary: SELinux is preventing the http daemon from reading users' home directories. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the http daemon access to users' home directories. Someone is attempting to access your home directories via your http daemon. If you have not setup httpd to share home directories, this probably signals an intrusion attempt. Allowing Access: If you want the http daemon to share home directories you need to turn on the httpd_enable_homedirs boolean: "setsebool -P httpd_enable_homedirs=1" You may need to also label the content that you wish to share. The man page httpd_selinux will have further information. 'man httpd_selinux'. Fix Command: setsebool -P httpd_enable_homedirs=1 Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects /home/andrew [ dir ] Source sh Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.1.7-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-33.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_enable_homedirs Host Name (removed) Platform Linux (removed) 2.6.33.6-147.fc13.x86_64 #1 SMP Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Sun 11 Jul 2010 06:08:44 PM EDT Last Seen Sun 11 Jul 2010 06:08:44 PM EDT Local ID 0a43bcf4-2041-443b-8d2f-62d0b1fe84b9 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1278886124.174:29621): avc: denied { getattr } for pid=3582 comm="sh" path="/home/andrew" dev=dm-2 ino=2621441 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1278886124.174:29621): arch=c000003e syscall=4 success=yes exit=0 a0=1360af0 a1=7fffd4376fd0 a2=7fffd4376fd0 a3=3bb7928ad0 items=0 ppid=3132 pid=3582 auid=500 uid=48 gid=484 euid=48 suid=48 fsuid=48 egid=484 sgid=484 fsgid=484 tty=(none) ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_enable_homedirs,sh,httpd_t,user_home_dir_t,dir,getattr audit2allow suggests: #============= httpd_t ============== #!!!! This avc can be allowed using one of the these booleans: # httpd_read_user_content, httpd_enable_homedirs allow httpd_t user_home_dir_t:dir getattr;
sealert above tells you what to do Fix Command: setsebool -P httpd_enable_homedirs=1
Eh, sorry about that. I've had like 10 alarms go off every time I login related to the tmp folder leak issue. I didn't catch that this one was different.