SELinux... a never ending story!
Joe Orton
jorton at redhat.com
Fri Dec 17 09:55:36 UTC 2004
On Thu, Dec 16, 2004 at 10:50:56PM -0500, Daniel J Walsh wrote:
> Giuseppe Greco wrote:
> >done... and now I get
> >
> >audit(1103229440.677.0): avc: denied { unlink } for pid=2671
> > exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037
> > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
> > tclass=file
Giuseppe, can you post your /etc/httpd/conf.d/ssl.conf? This shouldn't
happen in the default mod_ssl configuration.
> ugh,
>
> Where is this mutex file being created? In the log dir? The probem
> with this is it allows a hacker to unlink all the log files, if I
> allow this rule.
mod_ssl (and various other bits of httpd) can be configured to use
various types of semaphore: these will all be SysV semaphores in the
default configuration, but in non-default configurations, can be files
with fcntl locking. So the rule shouldn't be needed by default, I'm
confused why people are seeing this.
joe
More information about the selinux
mailing list