AVCs from restarting httpd but only when in permissive mode

Daniel J Walsh dwalsh at redhat.com
Mon Apr 21 19:35:28 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Kuns wrote:
> I had to reboot earlier this week because X crashed in a way that took
> out my keyboard, requiring a reboot to get the keyboard to work again.
> And when I temporarily set to permissive some time ago to do some
> testing, then set back to enforcing, somehow my "default" mode got left
> in permissive.  That's now fixed and I'm back in enforcing mode.
> Anyway, after the reboot I came up in permissive mode, which is how I
> discovered this.
> 
> If I restart httpd while in permissive mode, I get two AVCs.  If I
> restart httpd while in enforcing mode, I get none.  Is this normal or
> expected?  Since I only get these AVCs while in permissive mode, there's
> no error in httpd logs to look for.  (And when I look anyway, all I see
> is normal "starting up" sorts of messages.)
> 
> type=AVC msg=audit(1208684921.858:22475): avc:  denied  { read write }
> for  pid=2956 comm="httpd" name="context" dev=selinuxfs ino=5
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
> type=SYSCALL msg=audit(1208684921.858:22475): arch=40000003 syscall=5
> success=yes exit=14 a0=bfc89488 a1=8002 a2=0 a3=8002 items=0 ppid=1
> pid=2956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1208684921.858:22476): avc:  denied
> { check_context } for  pid=2956 comm="httpd"
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=security
> type=SYSCALL msg=audit(1208684921.858:22476): arch=40000003 syscall=4
> success=yes exit=33 a0=e a1=b931e310 a2=21 a3=b931e310 items=0 ppid=1
> pid=2956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> 	Eddie
> 
Yes, a previous dontaudit would have stopped the library that http is
loading from executing the "check_context" code, so enforcing would get
no avc's while permissive reports them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgM7H8ACgkQrlYvE4MpobNhHACgmMpctdBxmY0pKCoqoH8524sO
lBUAoNroH3KNAtyttBJrNb6UvffN8Bqc
=lxs1
-----END PGP SIGNATURE-----

More information about the selinux mailing list