Re: SELinux and HTTP Error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2010 08:05 AM, Richard Heck wrote:
> 
> Anyone help me with this? I get this error every time httpd starts. This 
> is still F12, but up to date.
> 
> The info isn't that helpful, as I don't have user directories enabled in 
> httpd.conf anyway.
> 
> Thanks,
> Richard
> 
> 
> Summary:
> 
> SELinux is preventing /usr/sbin/httpd "search" access on /root/.local.
> 
> Detailed Description:
> 
> [SELinux is in permissive mode. This access was not denied.]
> 
> SELinux denied access requested by httpd. The current boolean settings 
> do not
> allow this access. If you have not setup httpd to require this access 
> this may
> signal an intrusion attempt. If you do intend this access you need to 
> change the
> booleans on this system to allow the access.
> 
> Allowing Access:
> 
> Confined processes can be configured to run requiring different access, 
> SELinux
> provides booleans to allow you to turn on/off access as needed. The boolean
> httpd_enable_homedirs is set incorrectly.
> Boolean Description:
> Allow httpd to read home directories
> 
> 
> Fix Command:
> 
> # setsebool -P httpd_enable_homedirs 1
> 
> Additional Information:
> 
> Source Context                system_u:system_r:httpd_t:s0
> Target Context                system_u:object_r:gconf_home_t:s0
> Target Objects                /root/.local [ dir ]
> Source                        httpd
> Source Path                   /usr/sbin/httpd
> Port <Unknown>
> Host                          rghquad.bobjweil.com
> Source RPM Packages           httpd-2.2.15-1.fc12.2
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.32-121.fc12
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Permissive
> Plugin Name                   catchall_boolean
> Host Name                     rghquad.bobjweil.com
> Platform                      Linux rghquad.bobjweil.com
>                                2.6.32.21-166.fc12.x86_64 #1 SMP Fri Aug 27
>                                06:07:37 UTC 2010 x86_64 x86_64
> Alert Count                   1
> First Seen                    Sun 12 Sep 2010 07:45:13 AM EDT
> Last Seen                     Sun 12 Sep 2010 07:45:13 AM EDT
> Local ID                      a422f71e-92a5-4bff-b510-1280613e0b11
> Line Numbers
> 
> Raw Audit Messages
> 
> node=rghquad.bobjweil.com type=AVC msg=audit(1284291913.888:7): avc:  
> denied  { search } for  pid=1956 comm="httpd" name=".local" dev=sda5 
> ino=794581 scontext=system_u:system_r:httpd_t:s0 
> tcontext=system_u:object_r:gconf_home_t:s0 tclass=dir
> 
> node=rghquad.bobjweil.com type=SYSCALL msg=audit(1284291913.888:7): 
> arch=c000003e syscall=4 success=no exit=-2 a0=7f2cd52b9e20 
> a1=7fffb5a5f7b0 a2=7fffb5a5f7b0 a3=6b6361702d657469 items=0 ppid=1 
> pid=1956 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" 
> subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> 
> 
Looks like your apache program is trying to search content in
/root.local? You could remove this directory.  Could you be using a
python or gnome based application?

You probably can ignore this avc or add local policy to dontaudit it.

# grep local /var/log/audit/audit.log | audit2allow -D -M myapache
# semodule -i myapache.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkyOSAQACgkQrlYvE4MpobMqqgCdHTgRoJokv4IrQeghgFaXnwll
POQAoK3YXp0CXMH5+Q8O2PS4qW9zMYLg
=98Wx
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux