Description of problem: SELinux prevents access to new location /var/lib/mod_security/<file> where file is ip.dir, etc. Version-Release number of selected component (if applicable): 2.7.3-1 How reproducible: Always. Steps to Reproduce: 1. Install mod_security-2.7.3-1 on a machine with SELinux set to enforcing, and update the mod_security.conf in /etc/httpd/conf.d 2. Restart httpd service. 3. Access web server. Actual results: SELinux prevents access to the temporary files whose location was changed with this release. Expected results: SELinux policy for mod_security should be configured to allow this access. Additional info:
Hi Mike, Can you attach the AVC message from troubleshooting gui or /var/log/audit/audit.log
Also can you retry after running the following command: chcon -R system_u:object_r:httpd_var_lib_t /var/lib/mod_security
Here is the AVC (from the GUI): ------------------------------------ Raw Audit Messages type=AVC msg=audit(1367166517.82:2007): avc: denied { write } for pid=13097 comm="httpd" name="ip.dir" dev="sdb3" ino=528654 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1367166517.82:2007): arch=x86_64 syscall=open success=no exit=EACCES a0=7f4d5f12e798 a1=80042 a2=1a0 a3=1468 items=0 ppid=24489 pid=13097 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) ------------------------------------- And here is the output from the chcon: --------------------------------------- chcon -R system_u:object_r:httpd_var_lib_t /var/lib/mod_security chcon: failed to change context of `ip.pag' to `system_u:object_r:httpd_var_lib_t': Invalid argument chcon: failed to change context of `global.pag' to `system_u:object_r:httpd_var_lib_t': Invalid argument chcon: failed to change context of `ip.dir' to `system_u:object_r:httpd_var_lib_t': Invalid argument chcon: failed to change context of `global.dir' to `system_u:object_r:httpd_var_lib_t': Invalid argument chcon: failed to change context of `/var/lib/mod_security' to `system_u:object_r:httpd_var_lib_t': Invalid argument --------------------------------------- So I switched it to "chcon -R -t httpd_var_lib_t /var/lib/mod_security" which seemed to clear up the problem. Sorry about the response delay, I was called out of town abruptly. Please let me know if you need anything else.
Hi Mike, I've filled a separate bug report[1] against selinux-policy. [1] https://bugzilla.redhat.com/show_bug.cgi?id=957522
Thanks! As soon as I see an update, I'll make sure and test it.
Whoops - went to test the posted update, but it's only targeting Fedora 18 - I'm still on 17, so can't test it :-(