SELinux is preventing /usr/sbin/httpd from 'setattr' accesses on the archivo .htaccess. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that httpd should be allowed setattr access on the .htaccess file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:user_home_t:s0 Target Objects .htaccess [ file ] Source httpd Source Path /usr/sbin/httpd Port <Desconocido> Host (removed) Source RPM Packages httpd-2.2.21-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.40.4-5.fc15.i686.PAE #1 SMP Tue Aug 30 14:43:52 UTC 2011 i686 i686 Alert Count 1 First Seen dom 25 sep 2011 19:03:51 CEST Last Seen dom 25 sep 2011 19:03:51 CEST Local ID dda8300f-ae0e-4a00-b8fe-3662d8136dd6 Raw Audit Messages type=AVC msg=audit(1316970231.589:176): avc: denied { setattr } for pid=8106 comm="httpd" name=".htaccess" dev=dm-2 ino=5901645 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1316970231.589:176): arch=i386 syscall=chmod success=yes exit=0 a0=21548760 a1=124 a2=12e907c a3=21a98120 items=0 ppid=8096 pid=8106 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,user_home_t,file,setattr audit2allow #============= httpd_t ============== allow httpd_t user_home_t:file setattr; audit2allow -R #============= httpd_t ============== allow httpd_t user_home_t:file setattr;
I installed drupal on a user home folder. When access to it I get this report.
Label the drupal content using the httpd user content types. That way httpd_t (drupal) can interact with it as well as the user. There are various httpd user content types that you can use depending on what access httpd_t (drupal) needs to it httpd_user_content_t (httpd_t, drupal) can only read this content (for static web content, readable directories) httpd_user_content_rw_t (httpd_t, drupal) can read and write this content (and setattr, upload directories etc) httpd_user_content_ra_t (httpd_t, drupal) can read and append this content (log files in user home directories) httpd_user_htaccess_t: roughly the same as httpd_user_content_t httpd_user_script_exec_t: for user cgi scripts. Labelling the content properly is important if you want to protect access to the content. Example of how to give httpd_t (any webapp that runs in the httpd_t domain, including drupal) full access to /home/joe/drupal(/.*)? : semanage fcontext -a -t httpd_user_content_rw_t "/home/joe/drupal(/.*)?" restorecon -R -v /home/joe/drupal now /home/joe/drupal should be labelled httpd_user_content_rw_t (ls -alZ /home/joe/drupal to confirm) allows httpd_t to manage everything in /home/joe/drupal allows users to manage everything in /home/joe/drupal It is preferred that you use a more fine grained labelling solution using the types explained above so that httpd_t (drupal etc) can only write to file strictly required instead of all of /home/joe/drupal --- This is not a bug
Also you can use # man httpd_selinux which should also help you. Or you could install it to /var/lib/drupal for which location we have default SELinux labeling. # matchpathcon /var/lib/drupal /var/lib/drupal system_u:object_r:httpd_sys_rw_content_t:s0 So it would work by default for you with this location.
Thanks about the comments!!! And sorry about the fake bug report :(
No problem, is your issue solved?
Yes Miroslav, I have lebeled as Dominick suggest and I haven't get any report. Thanks to all!