Hi,
Whenever I upload a file via my web browser to my web sever, I see the following lines in
/var/log/messages
Nov 8 12:18:24 sn setroubleshoot: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx. For complete SELinux messages run: sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d
Nov 8 12:18:24 sn python: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012
While the format is ugly, I run
sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d and seeSELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:user_home_t:s0
Target Objects temp_5be3f85348052_5be3f85347985.docx [ file ]
Source httpd
Source Path httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name sn.somewhere.com
Platform Linux sn.somewhere.com 3.10.0-862.11.6.el7.x86_64 #1
SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2018-11-08 12:16:06 +0330
Last Seen 2018-11-08 12:18:19 +0330
Local ID 335e7781-6a68-4ca6-827f-073f93829f2d
Raw Audit Messages
type=AVC msg=audit(1541666899.294:27636): avc: denied { create } for pid=25734 comm="httpd" name="temp_5be3f85348052_5be3f85347985.docx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0 ppid=13555 pid=25734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,user_home_t,file,create
I do run two commands and everything sounds normal:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-httpd.pp
# semodule -i my-httpd.pp
#
However, once again and after uploading the file, I see those messages in the log again and again.
How to fix that?
Regards,
Mahmood
Mahmood
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
