SELinux blocks apachectl from stopping apache

Kurian @ GnuHack kurian at gnuhack.com
Wed Jul 9 11:46:48 UTC 2014 

Been away from selinux for a very long time. But will changing the
context of apachectl to httpd_exec_t help ?

Regards,
Kurian.
On 07/09/2014 05:13 PM, Konopka.Andre wrote:
>
> Hi list,
>
>  
>
> I use a self compiled apache-2.2.27 on a CentOS6.5 box
>
>  
>
> I run into trouble with the apachectl command.
>
> If I try stop apache with ‘apachectl stop’ it complains:
>
>  
>
> (13)Permission denied: Error retrieving pid file run/httpd.pid
>
> Remove it before continuing if it is corrupted.
>
>  
>
> Audit logs shows the problem:
>
>  
>
> type=AVC msg=audit(1404897126.819:7069): avc:  denied  { read } for 
> pid=23031 comm="httpd" name="httpd.pid" dev=dm-0 ino=529958
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
>
> type=SYSCALL msg=audit(1404897126.819:7069): arch=c000003e syscall=2
> success=no exit=-13 a0=7ff99e37eff0 a1=80000 a2=1b6 a3=1 items=0
> ppid=23029 pid=23031 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/usr/sbin/httpd"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>  
>
> BTW Stopping apache with ‘httpd –k stop’ works fine.
>
>  
>
> [root at centos1 conf]# ls -lZ /usr/sbin/apachectl
>
> -rwxr-xr-x. root root system_u:object_r:initrc_exec_t:s0
> /usr/sbin/apachectl
>
> [root at centos1 conf]#
>
>  
>
> [root at centos1 conf]# ls -lZ /usr/sbin/httpd
>
> -rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd
>
> [root at centos1 conf]#
>
>  
>
> [root at centos1 audit]# ps -efZ | grep -i apachectl
>
> unconfined_u:system_r:initrc_t:s0 root   23066  2412  0 11:20 pts/0   
> 00:00:00 /bin/sh /usr/sbin/apachectl
>
>  
>
> [root at centos1 audit]# ls -lZ httpd.pid
>
> -rw-r--r--. root root unconfined_u:object_r:var_run_t:s0 httpd.pid
>
>  
>
> How can I fix it?
>
>  
>
>  
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20140709/50deff69/attachment.html>

More information about the selinux mailing list