Hide Forgot
SELinux is preventing /usr/bin/eu-unstrip from 'read' accesses on the directory /usr/lib/httpd/modules. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that eu-unstrip should be allowed read access on the modules directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep eu-unstrip /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:abrt_t:s0-s0:c0.c1023 Target Context system_u:object_r:httpd_modules_t:s0 Target Objects /usr/lib/httpd/modules [ dir ] Source eu-unstrip Source Path /usr/bin/eu-unstrip Port <Unknown> Host (removed) Source RPM Packages elfutils-0.152-1.fc15 Target RPM Packages httpd-2.2.17-10.fc15.1 Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38.8-32.fc15.i686 #1 SMP Mon Jun 13 20:01:50 UTC 2011 i686 i686 Alert Count 1 First Seen Tue 21 Jun 2011 02:33:35 PM PDT Last Seen Tue 21 Jun 2011 02:33:35 PM PDT Local ID 6e1ee6e9-285a-4d02-b706-3c2ead69fbf7 Raw Audit Messages type=AVC msg=audit(1308692015.434:724): avc: denied { read } for pid=23709 comm="eu-unstrip" name="modules" dev=dm-0 ino=5767226 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir type=SYSCALL msg=audit(1308692015.434:724): arch=i386 syscall=open success=yes exit=EMFILE a0=903a2c0 a1=8000 a2=0 a3=bf9c84c0 items=0 ppid=23706 pid=23709 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=eu-unstrip exe=/usr/bin/eu-unstrip subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null) Hash: eu-unstrip,abrt_t,httpd_modules_t,dir,read audit2allow #============= abrt_t ============== allow abrt_t httpd_modules_t:dir read; audit2allow -R #============= abrt_t ============== allow abrt_t httpd_modules_t:dir read; I ran into this when I built a new Apache module (mod_jk) from source. The steps to reproduce this are as follows: 1. Download tomcat-connectors-1.2.31-src from tomcat.apache.org 2. Unpack 3. cd to tomcat-connectors-1.2.31-src/native 4. configure with --with-apxs=/usr/sbin/apxs --with-java-home=/usr/java (using Oracle's 1.6.0_26) 5. Install by copying (as root) to /etc/httpd/modules (bad model, I know) 6. Execute systemctl restart httpd.service ls -Z shows that all modules have the same SELinux info: -rwxr-xr-x. root root system_u:object_r:httpd_modules_t:s0 mod_jk.so
Any idea why eu-unstrip is listing the contents of /etc/httpd/modules?
Looks to me that module fails and abrt tries to strip out debuginfo hash from .so
I just rebuilt and re-installed the module. My test web application (simple cluster application with three Tomcats) works as expected. Clustering works as expected. I did see some unexpected segmentation faults from a few days ago, but nothing that directly relates to the installation. I imagine that this was possibly due to an Apache upgrade during preupgrade and I didn't rebuild this module. I made a poor choice of policy names when I added the policy (httpdpol), but it doesn't seem to have created a name collision. Unloading it and rerunning the application doesn't raise an alert. I think I'm going to chalk this up to bad install practice, although I don't see any difference in what was added to /usr/lib/httpd/modules by running make install. I apologize for what appears to be a false alarm. Please close the bug.
Miroslav I updated rawhide to allow this cc6210ebfd15b3d3b480c7dc28744ed9bf0186b3 I think we should back port this to RHEL6 and F14, F15