Tugriceri Web Notes

Archive for March, 2012

NFSEN SELinux Permission

by on Mar.06, 2012, under SELinux

Summary:

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
/var/local/nfsen/var/run/nfsen.comm.

Detailed Description:

SELinux has denied the httpd access to potentially mislabeled files
/var/local/nfsen/var/run/nfsen.comm. This means that SELinux will not allow
httpd to use these files. If httpd should be allowed this access to these files
you should change the file context to one of the following types,
lsassd_var_socket_t, abrt_var_run_t, httpd_tmpfs_t, setrans_var_run_t,
avahi_var_run_t, mysqld_var_run_t, httpd_var_run_t, nscd_var_run_t,
nslcd_var_run_t, slapd_var_run_t, sssd_var_lib_t, mysqld_db_t,
system_dbusd_var_run_t, postgresql_var_run_t, winbind_var_run_t,
postgresql_tmp_t, devlog_t, httpd_cobbler_rw_content_t,
httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, nscd_var_run_t,
pcscd_var_run_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t,
httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t,
httpd_user_rw_content_t. Many third party apps install html files in directories
that SELinux policy cannot predict. These directories have to be labeled with a
file context which httpd can access.

Allowing Access:

If you want to change the file context of /var/local/nfsen/var/run/nfsen.comm so
that the httpd daemon can access it, you need to execute it using semanage
fcontext -a -t FILE_TYPE ‘/var/local/nfsen/var/run/nfsen.comm’.
where FILE_TYPE is one of the following: lsassd_var_socket_t, abrt_var_run_t,
httpd_tmpfs_t, setrans_var_run_t, avahi_var_run_t, mysqld_var_run_t,
httpd_var_run_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t,
sssd_var_lib_t, mysqld_db_t, system_dbusd_var_run_t, postgresql_var_run_t,
winbind_var_run_t, postgresql_tmp_t, devlog_t, httpd_cobbler_rw_content_t,
httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, nscd_var_run_t,
pcscd_var_run_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t,
httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t,
httpd_user_rw_content_t. You can look at the httpd_selinux man page for
additional information.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/local/nfsen/var/run/nfsen.comm [ sock_file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           httpd-2.2.15-5.el6.centos
Target RPM Packages          
Policy RPM                    selinux-policy-3.7.19-54.el6_0.5
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     csn.tugriceri.com
Platform                      Linux csn.tugriceri.com
                              2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
                              19:49:27 BST 2011 x86_64 x86_64
Alert Count                   8
First Seen                    Tue Mar  6 14:02:04 2012
Last Seen                     Tue Mar  6 14:38:35 2012
Local ID                      8433f07d-91df-46a0-ba75-5228a1a1180a
Line Numbers                  7, 8, 43, 44, 75, 76, 87, 88, 119, 120, 155, 156,
                              251, 252, 257, 258

Raw Audit Messages           

type=AVC msg=audit(1331037515.880:4652026): avc:  denied  { write } for  pid=4402 comm=”httpd” name=”nfsen.comm” dev=dm-2 ino=23992283 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file

type=SYSCALL msg=audit(1331037515.880:4652026): arch=c000003e syscall=42 success=no exit=-13 a0=1a a1=7fffd0623350 a2=25 a3=632e6e6573666e2f items=0 ppid=4398 pid=4402 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=236800 comm=”httpd” exe=”/usr/sbin/httpd” subj=unconfined_u:system_r:httpd_t:s0 key=(null)

[root@legion ~]# grep httpd /var/log/audit/audit.log | audit2allow -M tugriceri_http
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i tugriceri_http.pp

Comments Off on NFSEN SELinux Permission more...

Failed to open “/var/lib/dbus/machine-id”

by on Mar.06, 2012, under Uncategorized

process 16780: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open “/var/lib/dbus/machine-id”: No such file or directory
See the manual page for dbus-uuidgen to correct this issue.
  D-Bus not built with -rdynamic so unable to print a backtrace
Aborted

dbus-uuidgen > /var/lib/dbus/machine-id
Comments Off on Failed to open “/var/lib/dbus/machine-id” more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...