Bug 821645 - SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file php-fastcgi-1.socket-0.
Summary: SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_f...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: lighttpd
Version: 16
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Matthias Saou
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:11dec72108549388a7cf13fa9e8...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-05-15 08:30 UTC by Stefan
Modified: 2014-01-30 13:23 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-02-14 01:56:36 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Stefan 2012-05-15 08:30:13 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.4-3.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file php-fastcgi-1.socket-0.
time:           Di 15 Mai 2012 10:17:05 CEST

description:
:SELinux is preventing /usr/sbin/lighttpd from 'create' accesses on the sock_file php-fastcgi-1.socket-0.
:
:*****  Plugin catchall_labels (83.8 confidence) suggests  ********************
:
:If sie wollen dem lighttpd den Zugriff create auf php-fastcgi-1.socket-0 sock_file erlauben
:Then you need to change the label on php-fastcgi-1.socket-0
:Do
:# semanage fcontext -a -t FILE_TYPE 'php-fastcgi-1.socket-0'
:where FILE_TYPE is one of the following: httpd_tmp_t, httpd_tmpfs_t, dirsrv_var_run_t, httpd_var_run_t, systemd_passwd_var_run_t, passenger_var_run_t. 
:Then execute: 
:restorecon -v 'php-fastcgi-1.socket-0'
:
:
:*****  Plugin catchall (17.1 confidence) suggests  ***************************
:
:If you believe that lighttpd should be allowed create access on the php-fastcgi-1.socket-0 sock_file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep lighttpd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:httpd_t:s0
:Target Context                system_u:object_r:var_lib_t:s0
:Target Objects                php-fastcgi-1.socket-0 [ sock_file ]
:Source                        lighttpd
:Source Path                   /usr/sbin/lighttpd
:Port                          <Unbekannt>
:Host                          (removed)
:Source RPM Packages           lighttpd-1.4.28-3.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-84.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.3.4-3.fc16.x86_64 #1 SMP Thu May 3 14:46:44 UTC
:                              2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    Di 15 Mai 2012 10:14:15 CEST
:Last Seen                     Di 15 Mai 2012 10:14:15 CEST
:Local ID                      736c1397-f2df-4a33-9bb6-b15b3a7fbeca
:
:Raw Audit Messages
:type=AVC msg=audit(1337069655.264:213): avc:  denied  { create } for  pid=1890 comm="lighttpd" name="php-fastcgi-1.socket-0" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=sock_file
:
:
:type=SYSCALL msg=audit(1337069655.264:213): arch=x86_64 syscall=bind success=no exit=EACCES a0=5 a1=7fffbb47bd70 a2=32 a3=7fffbb47bd6c items=0 ppid=1 pid=1890 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=lighttpd exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)
:
:Hash: lighttpd,httpd_t,var_lib_t,sock_file,create
:
:audit2allow
:
:#============= httpd_t ==============
:allow httpd_t var_lib_t:sock_file create;
:
:audit2allow -R
:
:#============= httpd_t ==============
:allow httpd_t var_lib_t:sock_file create;
:
Comment 1 Daniel Walsh 2012-05-16 03:33:49 UTC 
What directory is it attempting to create this socket in?
Comment 2 Stefan 2012-05-16 07:57:34 UTC 
It's /var/lib/lighttpd/sockets

# ls -lZ /var/lib/lighttpd/sockets/php-fastcgi-*
srwxr-xr-x. lighttpd lighttpd system_u:object_r:var_lib_t:s0   /var/lib/lighttpd/sockets/php-fastcgi-1.socket-0
srwxr-xr-x. lighttpd lighttpd system_u:object_r:var_lib_t:s0   /var/lib/lighttpd/sockets/php-fastcgi-2.socket-0

# ls -ldZ /var/lib/lighttpd/sockets
drwxrwxrwx. lighttpd lighttpd unconfined_u:object_r:var_lib_t:s0 /var/lib/lighttpd/sockets
Comment 3 Miroslav Grepl 2012-05-16 12:34:50 UTC 
Execute

# chcon -R -t httpd_var_lib_t /var/lib/lighttpd

Also what does

# rpm -qf /var/lib/lighttpd
Comment 4 Stefan 2012-05-22 09:38:31 UTC 
# LANG=C rpm -qf /var/lib/lighttpd
file /var/lib/lighttpd is not owned by any package

But /etc/lighttpd/lighttpd.conf says:
var.home_dir    = "/var/lib/lighttpd"

which is the default as shipped by fedora.
Comment 5 Fedora End Of Life 2013-02-14 01:56:48 UTC 
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 6 Stefan 2014-01-30 13:23:04 UTC 
Just a note if some one stumbles upon this:

# chcon -R -t httpd_var_run_t /var/lib/lighttpd

worked for me.
Note You need to log in before you can comment on or make changes to this bug.