Description of problem: This happened after I installed munin-cgi and started httpd. SELinux is preventing /usr/bin/perl from 'search' accesses on the directory /etc/munin. ***** Plugin catchall (100. confidence) suggests *************************** If sie denken, dass perl standardmässig erlaubt sein sollte, search Zugriff auf munin directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep munin-cgi-html /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_sys_script_t:s0 Target Context system_u:object_r:munin_etc_t:s0 Target Objects /etc/munin [ dir ] Source munin-cgi-html Source Path /usr/bin/perl Port <Unbekannt> Host (removed) Source RPM Packages perl-5.14.3-218.fc17.x86_64 Target RPM Packages munin-node-2.0.9-2.fc17.noarch munin-2.0.9-2.fc17.noarch Policy RPM selinux-policy-3.10.0-161.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.6.10-2.fc17.x86_64 #1 SMP Tue Dec 11 18:07:34 UTC 2012 x86_64 x86_64 Alert Count 1 First Seen 2012-12-14 18:01:42 CET Last Seen 2012-12-14 18:01:42 CET Local ID b01fd5f8-aaa4-40a4-9561-94a8e647b0fa Raw Audit Messages type=AVC msg=audit(1355504502.993:126): avc: denied { search } for pid=4452 comm="munin-cgi-html" name="munin" dev="dm-1" ino=799418 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1355504502.993:126): arch=x86_64 syscall=stat success=no exit=EACCES a0=1aeab90 a1=172b138 a2=172b138 a3=20 items=0 ppid=4409 pid=4452 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=munin-cgi-html exe=/usr/bin/perl subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) Hash: munin-cgi-html,httpd_sys_script_t,munin_etc_t,dir,search audit2allow #============= httpd_sys_script_t ============== allow httpd_sys_script_t munin_etc_t:dir search; audit2allow -R #============= httpd_sys_script_t ============== allow httpd_sys_script_t munin_etc_t:dir search; Additional info: hashmarkername: setroubleshoot kernel: 3.6.10-2.fc17.x86_64 type: libreport
Where is the CGI script located?
There are the following scripts: /var/www/cgi-bin/munin-cgi-graph /var/www/cgi-bin/munin-cgi-html
Could you try to execute # chcon -t httpd_munin_script_exec_t /var/www/cgi-bin/munin-cgi-graph /var/www/cgi-bin/munin-cgi-html
(In reply to comment #3) > Could you try to execute > > # chcon -t httpd_munin_script_exec_t /var/www/cgi-bin/munin-cgi-graph > /var/www/cgi-bin/munin-cgi-html after this I get these AVCs: type=AVC msg=audit(1355788896.191:17943): avc: denied { search } for pid=7499 comm="munin-cgi-html" name="munin" dev="dm-1" ino=799418 scontext=system_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:munin_etc_t:s0 tclass=dir type=SYSCALL msg=audit(1355788896.191:17943): arch=x86_64 syscall=stat success=no exit=EACCES a0=111cb90 a1=d5d138 a2=d5d138 a3=20 items=0 ppid=7345 pid=7499 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=munin-cgi-html exe=/usr/bin/perl subj=system_u:system_r:httpd_munin_script_t:s0 key=(null) type=AVC msg=audit(1355788896.191:17944): avc: denied { search } for pid=7499 comm="munin-cgi-html" name="lib" dev="dm-1" ino=15 scontext=system_u:system_r:httpd_munin_script_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1355788896.191:17944): arch=x86_64 syscall=stat success=no exit=EACCES a0=111cb90 a1=d5d138 a2=d5d138 a3=0 items=0 ppid=7345 pid=7499 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=munin-cgi-html exe=/usr/bin/perl subj=system_u:system_r:httpd_munin_script_t:s0 key=(null)
I added fixes.
selinux-policy-3.10.0-166.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
Package selinux-policy-3.10.0-166.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.