Description of problem: SELinux is preventing /usr/sbin/httpd from 'search' accesses on the directory saslauthd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that httpd should be allowed search access on the saslauthd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/sbin/httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:saslauthd_var_run_t:s0 Target Objects saslauthd [ dir ] Source /usr/sbin/httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.4.4-2.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-92.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47 UTC 2013 x86_64 x86_64 Alert Count 24 First Seen 2013-05-15 06:14:59 EDT Last Seen 2013-05-21 09:45:11 EDT Local ID 43731d87-3e52-4c25-8455-4720f47b9d7a Raw Audit Messages type=AVC msg=audit(1369143911.990:326): avc: denied { search } for pid=2237 comm="/usr/sbin/httpd" name="saslauthd" dev="tmpfs" ino=14095 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:saslauthd_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1369143911.990:326): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f48e9d1b3b0 a1=7fff5a390e00 a2=7fff5a390e00 a3=fffff000 items=0 ppid=1898 pid=2237 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=/usr/sbin/httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: /usr/sbin/httpd,httpd_t,saslauthd_var_run_t,dir,search audit2allow #============= httpd_t ============== allow httpd_t saslauthd_var_run_t:dir search; audit2allow -R require { type httpd_t; } #============= httpd_t ============== sasl_connect(httpd_t) Additional info: hashmarkername: setroubleshoot kernel: 3.9.2-200.fc18.x86_64 type: libreport
Do you use mod_authn_sasl? Or is /var/run/saslauthd mountpoint?
SELinux is preventing /usr/sbin/httpd from search access on the directory saslauthd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that httpd should be allowed search access on the saslauthd directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:saslauthd_var_run_t:s0 Target Objects saslauthd [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.4.4-3.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-97.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.4-200.fc18.x86_64 #1 SMP Fri May 24 20:10:49 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-06-09 22:52:44 EDT Last Seen 2013-06-09 22:52:44 EDT Local ID feb2ebac-f721-4c32-9895-83e295cc09de Raw Audit Messages type=AVC msg=audit(1370832764.302:333): avc: denied { search } for pid=1830 comm="httpd" name="saslauthd" dev="tmpfs" ino=13245 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:saslauthd_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1370832764.302:333): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f1eaebd2df0 a1=7fff1bf55950 a2=7fff1bf55950 a3=fffff000 items=0 ppid=1410 pid=1830 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,saslauthd_var_run_t,dir,search audit2allow #============= httpd_t ============== allow httpd_t saslauthd_var_run_t:dir search; audit2allow -R require { type httpd_t; } #============= httpd_t ============== sasl_connect(httpd_t)
$ httpd -M Loaded Modules: core_module (static) so_module (static) http_module (static) access_compat_module (shared) actions_module (shared) alias_module (shared) allowmethods_module (shared) auth_basic_module (shared) auth_digest_module (shared) authn_anon_module (shared) authn_core_module (shared) authn_dbd_module (shared) authn_dbm_module (shared) authn_file_module (shared) authn_socache_module (shared) authz_core_module (shared) authz_dbd_module (shared) authz_dbm_module (shared) authz_groupfile_module (shared) authz_host_module (shared) authz_owner_module (shared) authz_user_module (shared) autoindex_module (shared) cache_module (shared) cache_disk_module (shared) data_module (shared) dbd_module (shared) deflate_module (shared) dir_module (shared) dumpio_module (shared) echo_module (shared) env_module (shared) expires_module (shared) ext_filter_module (shared) filter_module (shared) headers_module (shared) include_module (shared) info_module (shared) log_config_module (shared) logio_module (shared) mime_magic_module (shared) mime_module (shared) negotiation_module (shared) remoteip_module (shared) reqtimeout_module (shared) rewrite_module (shared) setenvif_module (shared) slotmem_plain_module (shared) slotmem_shm_module (shared) socache_dbm_module (shared) socache_memcache_module (shared) socache_shmcb_module (shared) status_module (shared) substitute_module (shared) suexec_module (shared) unique_id_module (shared) unixd_module (shared) userdir_module (shared) version_module (shared) vhost_alias_module (shared) dav_module (shared) dav_fs_module (shared) dav_lock_module (shared) lua_module (shared) mpm_prefork_module (shared) proxy_module (shared) lbmethod_bybusyness_module (shared) lbmethod_byrequests_module (shared) lbmethod_bytraffic_module (shared) lbmethod_heartbeat_module (shared) proxy_ajp_module (shared) proxy_balancer_module (shared) proxy_connect_module (shared) proxy_express_module (shared) proxy_fcgi_module (shared) proxy_fdpass_module (shared) proxy_ftp_module (shared) proxy_http_module (shared) proxy_scgi_module (shared) systemd_module (shared) cgi_module (shared) dnssd_module (shared) php5_module (shared)
$ stat /var/run/saslauthd/ File: ‘/var/run/saslauthd/’ Size: 40 Blocks: 0 IO Block: 4096 directory Device: 11h/17d Inode: 13245 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Context: system_u:object_r:saslauthd_var_run_t:s0 Access: 2013-06-09 23:06:39.726149745 -0400 Modify: 2013-06-09 22:52:29.246268958 -0400 Change: 2013-06-09 22:52:29.246268958 -0400 Birth: -
We have got more these bugs on httpd+sasl. commit 2a997ec81c05e7204d1c749523cf2f31938ac167 Author: Miroslav Grepl <mgrepl> Date: Thu Jun 13 12:58:02 2013 +0200 Add httpd_use_sasl boolean
selinux-policy-3.11.1-98.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-98.fc18
Package selinux-policy-3.11.1-98.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-98.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-11859/selinux-policy-3.11.1-98.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-98.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.