Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /etc/zarafa. Detailed Description: SELinux has denied the httpd access to potentially mislabeled files /etc/zarafa. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, udev_tbl_t, httpd_tmp_t, var_spool_t, httpd_mojomojo_rw_content_t, httpd_cache_t, httpd_tmpfs_t, security_t, httpd_sys_script_exec_t, smokeping_var_lib_t, iso9660_t, mysqld_etc_t, cvs_data_t, httpd_git_script_exec_t, var_lib_t, var_run_t, default_t, httpd_cvs_script_exec_t, cobbler_etc_t, dbusd_etc_t, httpd_zarafa_script_exec_t, rpm_tmp_t, var_run_t, httpd_sys_content_t, httpd_squirrelmail_t, httpd_mojomojo_script_exec_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, var_log_t, var_t, samba_var_t, rpm_log_t, var_log_t, avahi_var_run_t, net_conf_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, logfile, httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t, httpd_nagios_rw_content_t, public_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_zarafa_rw_content_t, anon_inodefs_t, sysctl_kernel_t, var_lib_nfs_t, home_root_t, httpd_modules_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, mysqld_var_run_t, httpd_var_lib_t, httpd_var_run_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t, sssd_var_lib_t, httpd_apcupsd_cgi_content_t, httpd_squid_rw_content_t, abrt_var_run_t, httpd_apcupsd_cgi_rw_content_t, mysqld_db_t, httpd_prewikka_content_t, gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, httpd_awstats_script_exec_t, mailman_archive_t, mailman_data_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, sysctl_crypto_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, var_lib_t, httpd_prewikka_rw_content_t, var_lock_t, httpd_user_script_exec_t, setrans_var_run_t, squirrelmail_spool_t, sysctl_t, httpd_bugzilla_content_t, postgresql_var_run_t, bin_t, cert_t, zarafa_server_var_run_t, httpd_cobbler_content_t, httpd_t, lib_t, mnt_t, httpd_apcupsd_cgi_script_exec_t, tmp_t, passenger_var_lib_t, passenger_var_run_t, usr_t, var_t, cobbler_var_lib_t, sysctl_t, abrt_t, bin_t, httpd_nagios_script_exec_t, lib_t, mnt_t, httpd_squid_script_exec_t, root_t, nagios_etc_t, nagios_log_t, httpd_w3c_validator_rw_content_t, tmp_t, sssd_public_t, winbind_var_run_t, usr_t, var_t, httpd_awstats_rw_content_t, autofs_t, device_t, devpts_t, locale_t, cluster_conf_t, postgresql_tmp_t, etc_t, fonts_t, likewise_var_lib_t, httpd_bugzilla_script_exec_t, proc_t, fonts_cache_t, sysfs_t, tmpfs_t, httpd_log_t, httpd_awstats_content_t, device_t, etc_t, httpd_user_rw_content_t, proc_t, krb5_conf_t, httpd_config_t, httpd_nutups_cgi_content_t, textrel_shlib_t, sysctl_net_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_mojomojo_content_t, rpm_script_tmp_t, httpd_munin_rw_content_t, calamaris_www_t, httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t, httpd_sys_script_exec_t, httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t, httpd_zarafa_script_exec_t, cgroup_t, httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, root_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, sysfs_t, tmpfs_t, httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t, httpd_zarafa_rw_content_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, nscd_var_run_t, pcscd_var_run_t, httpd_apcupsd_cgi_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_awstats_script_exec_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t, var_t, var_t, httpd_nagios_script_exec_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, device_t, devpts_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labelled with a file context which httpd can access. Allowing Access: If you want to change the file context of /etc/zarafa so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/etc/zarafa'. where FILE_TYPE is one of the following: udev_tbl_t, httpd_tmp_t, var_spool_t, httpd_mojomojo_rw_content_t, httpd_cache_t, httpd_tmpfs_t, security_t, httpd_sys_script_exec_t, smokeping_var_lib_t, iso9660_t, mysqld_etc_t, cvs_data_t, httpd_git_script_exec_t, var_lib_t, var_run_t, default_t, httpd_cvs_script_exec_t, cobbler_etc_t, dbusd_etc_t, httpd_zarafa_script_exec_t, rpm_tmp_t, var_run_t, httpd_sys_content_t, httpd_squirrelmail_t, httpd_mojomojo_script_exec_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, var_log_t, var_t, samba_var_t, rpm_log_t, var_log_t, avahi_var_run_t, net_conf_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, logfile, httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t, httpd_nagios_rw_content_t, public_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_zarafa_rw_content_t, anon_inodefs_t, sysctl_kernel_t, var_lib_nfs_t, home_root_t, httpd_modules_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, mysqld_var_run_t, httpd_var_lib_t, httpd_var_run_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t, sssd_var_lib_t, httpd_apcupsd_cgi_content_t, httpd_squid_rw_content_t, abrt_var_run_t, httpd_apcupsd_cgi_rw_content_t, mysqld_db_t, httpd_prewikka_content_t, gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, httpd_awstats_script_exec_t, mailman_archive_t, mailman_data_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, sysctl_crypto_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, var_lib_t, httpd_prewikka_rw_content_t, var_lock_t, httpd_user_script_exec_t, setrans_var_run_t, squirrelmail_spool_t, sysctl_t, httpd_bugzilla_content_t, postgresql_var_run_t, bin_t, cert_t, zarafa_server_var_run_t, httpd_cobbler_content_t, httpd_t, lib_t, mnt_t, httpd_apcupsd_cgi_script_exec_t, tmp_t, passenger_var_lib_t, passenger_var_run_t, usr_t, var_t, cobbler_var_lib_t, sysctl_t, abrt_t, bin_t, httpd_nagios_script_exec_t, lib_t, mnt_t, httpd_squid_script_exec_t, root_t, nagios_etc_t, nagios_log_t, httpd_w3c_validator_rw_content_t, tmp_t, sssd_public_t, winbind_var_run_t, usr_t, var_t, httpd_awstats_rw_content_t, autofs_t, device_t, devpts_t, locale_t, cluster_conf_t, postgresql_tmp_t, etc_t, fonts_t, likewise_var_lib_t, httpd_bugzilla_script_exec_t, proc_t, fonts_cache_t, sysfs_t, tmpfs_t, httpd_log_t, httpd_awstats_content_t, device_t, etc_t, httpd_user_rw_content_t, proc_t, krb5_conf_t, httpd_config_t, httpd_nutups_cgi_content_t, textrel_shlib_t, sysctl_net_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_mojomojo_content_t, rpm_script_tmp_t, httpd_munin_rw_content_t, calamaris_www_t, httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t, httpd_sys_script_exec_t, httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t, httpd_zarafa_script_exec_t, cgroup_t, httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, root_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, sysfs_t, tmpfs_t, httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t, httpd_zarafa_rw_content_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, nscd_var_run_t, pcscd_var_run_t, httpd_apcupsd_cgi_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_smokeping_cgi_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_awstats_script_exec_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t, var_t, var_t, httpd_nagios_script_exec_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, device_t, devpts_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:zarafa_etc_t:s0 Target Objects /etc/zarafa [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.17-1.fc14 Target RPM Packages zarafa-common-6.40.2-1.fc14 Policy RPM selinux-policy-3.9.7-10.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.35.6-48.fc14.x86_64 #1 SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Sat 13 Nov 2010 06:53:29 GMT Last Seen Sat 13 Nov 2010 06:53:29 GMT Local ID 014e1a01-6b42-4208-a9f6-befa26c5c22b Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1289631209.690:10): avc: denied { search } for pid=2249 comm="httpd" name="zarafa" dev=dm-4 ino=1476080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:zarafa_etc_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1289631209.690:10): arch=c000003e syscall=80 success=no exit=-13 a0=7ff5e522eed0 a1=7ff5e522e3a8 a2=0 a3=18 items=0 ppid=1 pid=2249 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,zarafa_etc_t,dir,search audit2allow suggests: #============= httpd_t ============== allow httpd_t zarafa_etc_t:dir search;
John, looks like you use Zarafa. If so, could you execute # semanage permissive -a httpd_t Then try to use Zarafa and you will see if you get another AVC messages. After that run # semanage permissive -d httpd_t # ausearch -m avc -ts recent Thanks.
Created attachment 460550 [details] Result of 'ausearch -m avc -ts recent' Hi, I don't actually run Zarafa. I downloaded it with some other program packages. Although I have got httpd running always, all the Zafara programs are disabled in System > Administration > Services. It's just that I get the Selinux error every time I login. After doing: semanage permissive -a httpd_t The error stopped occurring at login. I tried to start the zafara_server in 'Services' but nothing happened at all. I did: semanage permissive -d httpd_t The result of the following is in the attachment. ausearch -m avc -ts recent This is not a serious issue for me and I'll probably un-install zarafa. I was just doing my bit, sending in the bug report. Regards, John.
Miroslav, I would just add the access.
Yes, I agree. I hoped I will see some AVC messages related to Zarafa :)
Fixed in selinux-policy-3.9.7-13.fc14
selinux-policy-3.9.7-12.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14
selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-12.fc14
selinux-policy-3.9.7-12.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.