Bug 654829 - SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /srv/joomla/index.php.
Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:a7e4181bc36...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-18 20:26 UTC by Yuriy V Skv
Modified: 2010-11-18 20:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-18 20:31:10 UTC
Type: ---


Attachments (Terms of Use)

Description Yuriy V Skv 2010-11-18 20:26:28 UTC
Summary:

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
/srv/joomla/index.php.

Detailed Description:

SELinux has denied the httpd access to potentially mislabeled files
/srv/joomla/index.php. This means that SELinux will not allow httpd to use these
files. If httpd should be allowed this access to these files you should change
the file context to one of the following types, dirsrv_var_log_t, net_conf_t,
logfile, rpm_tmp_t, public_content_t, anon_inodefs_t, sysctl_kernel_t,
httpd_modules_t, etc_runtime_t, dirsrv_var_run_t, httpd_var_lib_t,
httpd_var_run_t, ld_so_cache_t, user_tmp_t, httpd_suexec_exec_t,
httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t, application_exec_type,
httpd_user_htaccess_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t,
chroot_exec_t, gitosis_var_lib_t, dirsrvadmin_config_t, httpd_sys_content_t,
httpd_squid_htaccess_t, public_content_rw_t, httpd_munin_htaccess_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_archive_t,
mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_t, lib_t, httpd_prewikka_htaccess_t,
user_home_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, tmp_t,
usr_t, httpd_rotatelogs_exec_t, httpd_smokeping_cgi_htaccess_t, nagios_etc_t,
nagios_log_t, abrt_var_run_t, sssd_public_t, ping_exec_t, httpd_keytab_t,
locale_t, httpd_unconfined_script_exec_t, cluster_conf_t, etc_t, fonts_t,
proc_t, sysfs_t, fonts_cache_t, httpd_mojomojo_htaccess_t, httpd_exec_t,
httpd_lock_t, httpd_log_t, krb5_keytab_t, passenger_exec_t, dirsrv_config_t,
sysctl_crypto_t, ssh_exec_t, krb5_conf_t, httpd_config_t, user_tmp_t,
httpd_mediawiki_htaccess_t, abrt_t, lib_t, udev_tbl_t, httpd_tmp_t,
calamaris_www_t, fail2ban_var_lib_t, httpd_cache_t, httpd_tmpfs_t,
smokeping_var_lib_t, shell_exec_t, iso9660_t, httpd_w3c_validator_htaccess_t,
abrt_helper_exec_t, mysqld_etc_t, cvs_data_t, var_lib_t, cobbler_etc_t,
sendmail_exec_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_t,
httpd_dirsrvadmin_script_exec_t, user_cron_spool_t, httpd_squirrelmail_t,
textrel_shlib_t, httpd_php_exec_t, httpd_nagios_htaccess_t, rpm_script_tmp_t,
httpd_mediawiki_tmp_t, httpd_zarafa_htaccess_t, samba_var_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_mediawiki_script_exec_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t,
httpd_apcupsd_cgi_content_t, httpd_mediawiki_ra_content_t,
httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, httpd_apcupsd_cgi_ra_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_content_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_mediawiki_content_t,
krb5_host_rcache_t, httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_nagios_script_exec_t,
httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, root_t. Many third
party apps install html files in directories that SELinux policy cannot predict.
These directories have to be labeled with a file context which httpd can access.

Allowing Access:

If you want to change the file context of /srv/joomla/index.php so that the
httpd daemon can access it, you need to execute it using semanage fcontext -a -t
FILE_TYPE '/srv/joomla/index.php'.
where FILE_TYPE is one of the following: dirsrv_var_log_t, net_conf_t, logfile,
rpm_tmp_t, public_content_t, anon_inodefs_t, sysctl_kernel_t, httpd_modules_t,
etc_runtime_t, dirsrv_var_run_t, httpd_var_lib_t, httpd_var_run_t,
ld_so_cache_t, user_tmp_t, httpd_suexec_exec_t, httpd_awstats_htaccess_t,
httpd_dirsrvadmin_htaccess_t, application_exec_type, httpd_user_htaccess_t,
httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, chroot_exec_t,
gitosis_var_lib_t, dirsrvadmin_config_t, httpd_sys_content_t,
httpd_squid_htaccess_t, public_content_rw_t, httpd_munin_htaccess_t,
httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, mailman_archive_t,
mailman_data_t, httpd_apcupsd_cgi_htaccess_t, system_dbusd_var_lib_t,
httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t,
squirrelmail_spool_t, bin_t, cert_t, httpd_t, lib_t, httpd_prewikka_htaccess_t,
user_home_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, tmp_t,
usr_t, httpd_rotatelogs_exec_t, httpd_smokeping_cgi_htaccess_t, nagios_etc_t,
nagios_log_t, abrt_var_run_t, sssd_public_t, ping_exec_t, httpd_keytab_t,
locale_t, httpd_unconfined_script_exec_t, cluster_conf_t, etc_t, fonts_t,
proc_t, sysfs_t, fonts_cache_t, httpd_mojomojo_htaccess_t, httpd_exec_t,
httpd_lock_t, httpd_log_t, krb5_keytab_t, passenger_exec_t, dirsrv_config_t,
sysctl_crypto_t, ssh_exec_t, krb5_conf_t, httpd_config_t, user_tmp_t,
httpd_mediawiki_htaccess_t, abrt_t, lib_t, udev_tbl_t, httpd_tmp_t,
calamaris_www_t, fail2ban_var_lib_t, httpd_cache_t, httpd_tmpfs_t,
smokeping_var_lib_t, shell_exec_t, iso9660_t, httpd_w3c_validator_htaccess_t,
abrt_helper_exec_t, mysqld_etc_t, cvs_data_t, var_lib_t, cobbler_etc_t,
sendmail_exec_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, ld_so_t,
httpd_dirsrvadmin_script_exec_t, user_cron_spool_t, httpd_squirrelmail_t,
textrel_shlib_t, httpd_php_exec_t, httpd_nagios_htaccess_t, rpm_script_tmp_t,
httpd_mediawiki_tmp_t, httpd_zarafa_htaccess_t, samba_var_t,
httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t,
httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t,
httpd_sys_rw_content_t, httpd_zarafa_content_t, httpd_w3c_validator_content_t,
httpd_nagios_ra_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t,
httpd_cobbler_script_exec_t, httpd_zarafa_ra_content_t,
httpd_zarafa_rw_content_t, httpd_mediawiki_script_exec_t,
httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t,
httpd_apcupsd_cgi_content_t, httpd_mediawiki_ra_content_t,
httpd_mediawiki_rw_content_t, httpd_squid_ra_content_t,
httpd_squid_rw_content_t, httpd_apcupsd_cgi_ra_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_content_t,
httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t,
httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t,
httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t,
httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t,
httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t,
httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t,
httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_mediawiki_content_t,
krb5_host_rcache_t, httpd_cobbler_content_t, httpd_apcupsd_cgi_script_exec_t,
httpd_dirsrvadmin_content_t, httpd_nagios_script_exec_t,
httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t,
httpd_w3c_validator_rw_content_t, httpd_awstats_ra_content_t,
httpd_awstats_rw_content_t, httpd_bugzilla_script_exec_t,
httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t,
httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t,
httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t,
httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t,
httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t,
httpd_sys_script_exec_t, httpd_git_script_exec_t, httpd_cvs_script_exec_t,
httpd_zarafa_script_exec_t, httpd_dirsrvadmin_script_exec_t,
httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t,
httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, root_t. You can
look at the httpd_selinux man page for additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /srv/joomla/index.php [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.2.17-1.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-10.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.6-48.fc14.x86_64 #1
                              SMP Fri Oct 22 15:36:08 UTC 2010 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 18 Nov 2010 11:25:20 PM MSK
Last Seen                     Thu 18 Nov 2010 11:25:35 PM MSK
Local ID                      21bf6e2a-7c4d-4def-9b4a-7824fe674923
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1290111935.708:6077): avc:  denied  { getattr } for  pid=23756 comm="httpd" path="/srv/joomla/index.php" dev=sda2 ino=9282 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1290111935.708:6077): arch=c000003e syscall=6 success=no exit=-13 a0=7f5f6e68a350 a1=7fff5376ec80 a2=7fff5376ec80 a3=fffffffffffff368 items=0 ppid=23748 pid=23756 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=229 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  httpd_bad_labels,httpd,httpd_t,var_t,file,getattr
audit2allow suggests:

#============= httpd_t ==============
allow httpd_t var_t:file getattr;

Comment 1 Daniel Walsh 2010-11-18 20:31:10 UTC
You want to setup labeling for this directory

# semanage fcontext -a -t httpd_sys_content_t '/var/joomla(/.*)?'
# restorecon -R -v /var/joomla

Is this a standard location for joomla?  What is joomla?


Note You need to log in before you can comment on or make changes to this bug.