On 08/14/2009 09:16 AM, Rob Crittenden wrote:
> I'm having a problem where Apache is segfaulting when SELinux is enabled
> because of an AVC. I'm using freeIPA which defines a mod_python handler.
>
> The AVCs are:
>
> type=AVC msg=audit(1250255388.275:27650): avc: denied { execute } for
> pid=7849 comm="httpd"
> path=2F746D702F6666696A7435517772202864656C6574656429 dev=sda1
> ino=442585 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file
>
> type=AVC msg=audit(1250255388.288:27652): avc: denied { execute } for
> pid=7850 comm="httpd"
> path=2F6465762F73686D2F6666696D436E667967202864656C6574656429 dev=tmpfs
> ino=33960 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file
>
> audit2allow generated this:
>
> module test 1.0;
>
> require {
> type httpd_tmp_t;
> type httpd_t;
> type httpd_tmpfs_t;
> class file execute;
> }
>
> #============= httpd_t ==============
> allow httpd_t httpd_tmp_t:file execute;
> allow httpd_t httpd_tmpfs_t:file execute;
>
> I'm a bit stumped. What should I look for, something doing an exec,
> something messing in /tmp, both?
>
> thanks
>
> rob
>
>
Apache executing something in /tmp, just feels like a very bad idea. I am not sure mod_python is doing this, but I would look for some configuration that is putting files in /tmp.
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
