SELinux and HTTP Error
Daniel J Walsh
dwalsh at redhat.com
Mon Sep 13 15:49:24 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2010 08:05 AM, Richard Heck wrote:
>
> Anyone help me with this? I get this error every time httpd starts. This
> is still F12, but up to date.
>
> The info isn't that helpful, as I don't have user directories enabled in
> httpd.conf anyway.
>
> Thanks,
> Richard
>
>
> Summary:
>
> SELinux is preventing /usr/sbin/httpd "search" access on /root/.local.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux denied access requested by httpd. The current boolean settings
> do not
> allow this access. If you have not setup httpd to require this access
> this may
> signal an intrusion attempt. If you do intend this access you need to
> change the
> booleans on this system to allow the access.
>
> Allowing Access:
>
> Confined processes can be configured to run requiring different access,
> SELinux
> provides booleans to allow you to turn on/off access as needed. The boolean
> httpd_enable_homedirs is set incorrectly.
> Boolean Description:
> Allow httpd to read home directories
>
>
> Fix Command:
>
> # setsebool -P httpd_enable_homedirs 1
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_u:object_r:gconf_home_t:s0
> Target Objects /root/.local [ dir ]
> Source httpd
> Source Path /usr/sbin/httpd
> Port <Unknown>
> Host rghquad.bobjweil.com
> Source RPM Packages httpd-2.2.15-1.fc12.2
> Target RPM Packages
> Policy RPM selinux-policy-3.6.32-121.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name catchall_boolean
> Host Name rghquad.bobjweil.com
> Platform Linux rghquad.bobjweil.com
> 2.6.32.21-166.fc12.x86_64 #1 SMP Fri Aug 27
> 06:07:37 UTC 2010 x86_64 x86_64
> Alert Count 1
> First Seen Sun 12 Sep 2010 07:45:13 AM EDT
> Last Seen Sun 12 Sep 2010 07:45:13 AM EDT
> Local ID a422f71e-92a5-4bff-b510-1280613e0b11
> Line Numbers
>
> Raw Audit Messages
>
> node=rghquad.bobjweil.com type=AVC msg=audit(1284291913.888:7): avc:
> denied { search } for pid=1956 comm="httpd" name=".local" dev=sda5
> ino=794581 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
>
> node=rghquad.bobjweil.com type=SYSCALL msg=audit(1284291913.888:7):
> arch=c000003e syscall=4 success=no exit=-2 a0=7f2cd52b9e20
> a1=7fffb5a5f7b0 a2=7fffb5a5f7b0 a3=6b6361702d657469 items=0 ppid=1
> pid=1956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
>
>
Looks like your apache program is trying to search content in
/root.local? You could remove this directory. Could you be using a
python or gnome based application?
You probably can ignore this avc or add local policy to dontaudit it.
# grep local /var/log/audit/audit.log | audit2allow -D -M myapache
# semodule -i myapache.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkyOSAQACgkQrlYvE4MpobMqqgCdHTgRoJokv4IrQeghgFaXnwll
POQAoK3YXp0CXMH5+Q8O2PS4qW9zMYLg
=98Wx
-----END PGP SIGNATURE-----
More information about the users
mailing list