Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files datacache.log. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux has denied the httpd access to potentially mislabeled files datacache.log. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, etc_runtime_t, httpd_var_lib_t, httpd_var_run_t, httpd_suexec_exec_t, application_exec_type, afs_cache_t, abrt_helper_exec_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t, httpd_awstats_htaccess_t, httpd_munin_htaccess_t, httpd_user_htaccess_t, mailman_archive_t, chroot_exec_t, httpd_sys_content_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, bin_t, cert_t, mailman_data_t, httpd_t, lib_t, httpd_apcupsd_cgi_htaccess_t, textrel_shlib_t, ld_so_t, system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, usr_t, httpd_rotatelogs_exec_t, httpd_prewikka_htaccess_t, rpm_script_tmp_t, httpd_smokeping_cgi_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, cluster_conf_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, locale_t, httpd_unconfined_script_exec_t, httpd_log_t, etc_t, fonts_t, proc_t, sysfs_t, krb5_conf_t, krb5_keytab_t, httpd_config_t, calamaris_www_t, ld_so_cache_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, udev_tbl_t, httpd_tmp_t, var_lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t, configfile, mysqld_etc_t, cvs_data_t, httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, samba_var_t, abrt_var_run_t, net_conf_t, fail2ban_var_lib_t, public_content_t, anon_inodefs_t, sysctl_kernel_t, sysctl_crypto_t, httpd_modules_t, user_cron_spool_t, abrt_t, lib_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, root_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, httpd_cobbler_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_sys_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of datacache.log so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'datacache.log'. where FILE_TYPE is one of the following: etc_runtime_t, httpd_var_lib_t, httpd_var_run_t, httpd_suexec_exec_t, application_exec_type, afs_cache_t, abrt_helper_exec_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, gitosis_var_lib_t, httpd_squid_htaccess_t, httpd_awstats_htaccess_t, httpd_munin_htaccess_t, httpd_user_htaccess_t, mailman_archive_t, chroot_exec_t, httpd_sys_content_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, bin_t, cert_t, mailman_data_t, httpd_t, lib_t, httpd_apcupsd_cgi_htaccess_t, textrel_shlib_t, ld_so_t, system_dbusd_var_lib_t, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, usr_t, httpd_rotatelogs_exec_t, httpd_prewikka_htaccess_t, rpm_script_tmp_t, httpd_smokeping_cgi_htaccess_t, nagios_etc_t, nagios_log_t, sssd_public_t, httpd_keytab_t, cluster_conf_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, locale_t, httpd_unconfined_script_exec_t, httpd_log_t, etc_t, fonts_t, proc_t, sysfs_t, krb5_conf_t, krb5_keytab_t, httpd_config_t, calamaris_www_t, ld_so_cache_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, udev_tbl_t, httpd_tmp_t, var_lib_t, shell_exec_t, httpd_w3c_validator_htaccess_t, configfile, mysqld_etc_t, cvs_data_t, httpd_helper_exec_t, dbusd_etc_t, httpd_squirrelmail_t, httpd_php_exec_t, httpd_nagios_htaccess_t, samba_var_t, abrt_var_run_t, net_conf_t, fail2ban_var_lib_t, public_content_t, anon_inodefs_t, sysctl_kernel_t, sysctl_crypto_t, httpd_modules_t, user_cron_spool_t, abrt_t, lib_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, root_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, httpd_cobbler_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_sys_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:unlabeled_t:s0 Target Objects datacache.log [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.15-1.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-39.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.33.6-147.fc13.i686 #1 SMP Tue Jul 6 22:30:55 UTC 2010 i686 i686 Alert Count 1 First Seen Wed 28 Jul 2010 12:15:33 AM EDT Last Seen Wed 28 Jul 2010 12:15:33 AM EDT Local ID 2eae16d5-fa4b-4464-9a27-12aec727b8be Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1280290533.217:42): avc: denied { read } for pid=2570 comm="httpd" name="datacache.log" dev=dm-0 ino=393239 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1280290533.217:42): arch=40000003 syscall=5 success=yes exit=15 a0=25f22d0 a1=8000 a2=1b6 a3=25f2251 items=0 ppid=1 pid=2570 auid=500 uid=0 gid=0 euid=48 suid=0 fsuid=48 egid=488 sgid=0 fsgid=488 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,unlabeled_t,file,read audit2allow suggests: #============= httpd_t ============== allow httpd_t unlabeled_t:file read;
Where is 'datacache.log' located? You need to run restorecon on it. # restorecon -R -v DISKPATH Should add labels.