Bug 701596 - SELinux is preventing /usr/bin/php-cgi from 'read' accesses on the file psched.
Summary: SELinux is preventing /usr/bin/php-cgi from 'read' accesses on the file psched.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:c9bd0bca2d3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-03 10:29 UTC by John
Modified: 2011-05-03 15:54 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-03 14:22:26 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description John 2011-05-03 10:29:42 UTC 
SELinux is preventing /usr/bin/php-cgi from 'read' accesses on the file psched.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that php-cgi should be allowed read access on the psched file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep php-cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:proc_net_t:s0
Target Objects                psched [ file ]
Source                        php-cgi
Source Path                   /usr/bin/php-cgi
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           php-cli-5.3.6-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-21.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.38.4-20.fc15.x86_64 #1 SMP Thu Apr 28 23:32:48
                              UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 03 May 2011 02:20:48 PM MSD
Last Seen                     Tue 03 May 2011 02:29:18 PM MSD
Local ID                      5d638f7d-df60-4dd1-bad3-69ca81e02141

Raw Audit Messages
type=AVC msg=audit(1304418558.438:1803): avc:  denied  { read } for  pid=12973 comm="php-cgi" name="psched" dev=proc ino=4026531962 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file


type=SYSCALL msg=audit(1304418558.438:1803): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff395fd1d0 a1=0 a2=1b6 a3=4 items=0 ppid=12972 pid=12973 auid=4294967295 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=(none) ses=4294967295 comm=php-cgi exe=/usr/bin/php-cgi subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: php-cgi,httpd_t,proc_net_t,file,read

audit2allow

#============= httpd_t ==============
allow httpd_t proc_net_t:file read;

audit2allow -R

#============= httpd_t ==============
allow httpd_t proc_net_t:file read;
Comment 1 Miroslav Grepl 2011-05-03 14:22:26 UTC 
You will need to allow it using a local policy because that would allow all apache processes to read network config.

# grep php-cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Do you know what 'psched' is?
Comment 2 John 2011-05-03 15:54:07 UTC 
(In reply to comment #1)
> You will need to allow it using a local policy because that would allow all
> apache processes to read network config.

Ok: Thx

 
> # grep php-cgi /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
> 
> 
> Do you know what 'psched' is?
Note You need to log in before you can comment on or make changes to this bug.