Hide Forgot
libreport version: 2.0.6 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-7.fc16.i686.PAE reason: SELinux is preventing /usr/bin/perl from 'read' accesses on the file cpu-idle.rrd. time: Tue Nov 8 21:41:26 2011 description: :The package collectd-web tries to open files from /var/lib/collectd/ but fails. :It should be allowed to read the files : :-- : :SELinux is preventing /usr/bin/perl from 'read' accesses on the file cpu-idle.rrd. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that perl should be allowed read access on the cpu-idle.rrd file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep graph.cgi /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:httpd_collectd_script_t:s0 :Target Context system_u:object_r:collectd_var_lib_t:s0 :Target Objects cpu-idle.rrd [ file ] :Source graph.cgi :Source Path /usr/bin/perl :Port <Unbekannt> :Host (removed) :Source RPM Packages perl-5.14.1-188.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-51.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.1.0-7.fc16.i686.PAE #1 SMP : Tue Nov 1 20:53:45 UTC 2011 i686 i686 :Alert Count 1 :First Seen Di 08 Nov 2011 21:35:22 CET :Last Seen Di 08 Nov 2011 21:35:22 CET :Local ID 7597b145-f508-4cd6-9acf-088fa1450a21 : :Raw Audit Messages :type=AVC msg=audit(1320784522.670:503): avc: denied { read } for pid=16809 comm="graph.cgi" name="cpu-idle.rrd" dev=sda6 ino=787640 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=file : : :type=AVC msg=audit(1320784522.670:503): avc: denied { open } for pid=16809 comm="graph.cgi" name="cpu-idle.rrd" dev=sda6 ino=787640 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=file : : :type=SYSCALL msg=audit(1320784522.670:503): arch=i386 syscall=open success=yes exit=ESRCH a0=8d6a618 a1=0 a2=1b6 a3=0 items=0 ppid=13997 pid=16809 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=graph.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_collectd_script_t:s0 key=(null) : :Hash: graph.cgi,httpd_collectd_script_t,collectd_var_lib_t,file,read : :audit2allow : :#============= httpd_collectd_script_t ============== :allow httpd_collectd_script_t collectd_var_lib_t:file { read open }; : :audit2allow -R : :#============= httpd_collectd_script_t ============== :allow httpd_collectd_script_t collectd_var_lib_t:file { read open }; :
the first error for the directory /var/lib/collectd/: SELinux is preventing /usr/bin/perl from read access on the directory collectd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that perl should be allowed read access on the collectd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep index.cgi /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Quellkontext system_u:system_r:httpd_collectd_script_t:s0 Zielkontext system_u:object_r:collectd_var_lib_t:s0 Zielobjekte collectd [ dir ] Quelle index.cgi Quellpfad /usr/bin/perl Port <Unbekannt> Host hel-stefan.lan RPM-Pakete der Quelle perl-5.14.1-188.fc16 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.10.0-51.fc16 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Permissive Rechnername hel-stefan.lan Plattform Linux hel-stefan.lan 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC 2011 i686 i686 Anzahl der Alarme 2 Zuerst gesehen Di 08 Nov 2011 21:35:18 CET Zuletzt gesehen Di 08 Nov 2011 21:35:22 CET Lokale ID 99937e2f-cc79-4fcb-8c92-880dd1425247 Raw-Audit-Meldungen type=AVC msg=audit(1320784522.284:500): avc: denied { read } for pid=16804 comm="index.cgi" name="collectd" dev=sda6 ino=786870 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=dir type=AVC msg=audit(1320784522.284:500): avc: denied { open } for pid=16804 comm="index.cgi" name="collectd" dev=sda6 ino=786870 scontext=system_u:system_r:httpd_collectd_script_t:s0 tcontext=system_u:object_r:collectd_var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1320784522.284:500): arch=i386 syscall=openat success=yes exit=ESRCH a0=ffffff9c a1=8595170 a2=98800 a3=0 items=0 ppid=14000 pid=16804 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=index.cgi exe=/usr/bin/perl subj=system_u:system_r:httpd_collectd_script_t:s0 key=(null) Hash: index.cgi,httpd_collectd_script_t,collectd_var_lib_t,dir,read audit2allow #============= httpd_collectd_script_t ============== allow httpd_collectd_script_t collectd_var_lib_t:dir { read open }; audit2allow -R #============= httpd_collectd_script_t ============== allow httpd_collectd_script_t collectd_var_lib_t:dir { read open };
Fixed in selinux-policy-3.10.0-56.fc16
selinux-policy-3.10.0-56.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-56.fc16
Package selinux-policy-3.10.0-56.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-56.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16003/selinux-policy-3.10.0-56.fc16 then log in and leave karma (feedback).
There are more selinux errors, reported in #755055
selinux-policy-3.10.0-56.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.