|
Hi there, I’m having some
problems with apache and selinux. Yesterday in /var/log/httpd/error_log
I had: [Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd
running as context user_u:system_r:httpd_t [Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec) [Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for
digest authentication ... [Thu Jul 17 16:34:26 2008] [notice] Digest: done [Thu Jul 17 16:34:26 2008] [warn] pid file
/var/www/ditsite/logs/httpd.pid overwritten -- Unclean shutdown of previous
Apache run? [Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming
normal operations It happened a couple
of times on a production site, so I decided to try disabling protection for
httpd Daemon: # setsebool -P httpd_disable_trans 1 # service httpd restart Message in /var/log/messages Jul 18 13:37:46 localhost dbus: avc: received
policyload notice (seqno=3) Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans
policy boolean was changed to 1 by root Jul 18 13:37:48 localhost setroubleshoot: SELinux is
preventing setsebool (semanage_t) "sys_admin" to <Unknown>
(semanage_t). For complete SELinux messages. run sealert -l
dbc64b3f-71be-48c7-aa07-03264440576c Sealert says the
following: Summary: SELinux is preventing httpd (httpd_t) "sys_admin"
to <Unknown> (httpd_t). Detailed Description: [SELinux is in permissive mode, the operation would have
been denied but was permitted due to permissive mode.] SELinux denied access requested by httpd. It is not expected
that this access is required by httpd and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access
- see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable SELinux protection altogether. Disabling SELinux protection
is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source
Context
root:system_r:httpd_t Target
Context
root:system_r:httpd_t Target
Objects
None [ capability ] Source httpd Source
Path
/usr/sbin/httpd Port
<Unknown> Host
OSTRAIS Source RPM
Packages
httpd-2.2.3-11.el5_1.3 Target RPM
Packages Policy
RPM
selinux-policy-2.4.6-137.1.el5_2 Selinux
Enabled
True Policy
Type
targeted MLS
Enabled
True Enforcing
Mode
Permissive Plugin
Name
catchall Host
Name
OSTRAIS Platform
Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May 22
09:01:47 EDT 2008 x86_64 x86_64 Alert
Count
10 First
Seen
Thu Jul 17 17:20:02 2008 Last
Seen
Fri Jul 18 13:33:30 2008 Local
ID
b22d5d55-1982-4c69-820e-7df4dbd33842 Line
Numbers
Raw Audit
Messages host=OSTRAIS type=AVC msg=audit(1216384410.773:2490):
avc: denied { sys_admin } for pid=24960
comm="httpd" capability=21 scontext=root:system_r:httpd_t:s0
tcontext=root:system_r:httpd_t:s0 tclass=capability 1.) Why is selinux preventing me from changing this
value? 2.) Am I taking the correct approach? httpd-2.2.3-11.el5_1.3/ Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux Red Hat Enterprise Linux Server release 5.2 (Tikanga) Thanks Colly This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie |
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
