NFSEN SELinux Permission
by Emre Tugriceri on Mar.06, 2012, under SELinux
Summary:
SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
/var/local/nfsen/var/run/nfsen.comm.
Detailed Description:
SELinux has denied the httpd access to potentially mislabeled files
/var/local/nfsen/var/run/nfsen.comm. This means that SELinux will not allow
httpd to use these files. If httpd should be allowed this access to these files
you should change the file context to one of the following types,
lsassd_var_socket_t, abrt_var_run_t, httpd_tmpfs_t, setrans_var_run_t,
avahi_var_run_t, mysqld_var_run_t, httpd_var_run_t, nscd_var_run_t,
nslcd_var_run_t, slapd_var_run_t, sssd_var_lib_t, mysqld_db_t,
system_dbusd_var_run_t, postgresql_var_run_t, winbind_var_run_t,
postgresql_tmp_t, devlog_t, httpd_cobbler_rw_content_t,
httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, nscd_var_run_t,
pcscd_var_run_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t,
httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t,
httpd_user_rw_content_t. Many third party apps install html files in directories
that SELinux policy cannot predict. These directories have to be labeled with a
file context which httpd can access.
Allowing Access:
If you want to change the file context of /var/local/nfsen/var/run/nfsen.comm so
that the httpd daemon can access it, you need to execute it using semanage
fcontext -a -t FILE_TYPE ‘/var/local/nfsen/var/run/nfsen.comm’.
where FILE_TYPE is one of the following: lsassd_var_socket_t, abrt_var_run_t,
httpd_tmpfs_t, setrans_var_run_t, avahi_var_run_t, mysqld_var_run_t,
httpd_var_run_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t,
sssd_var_lib_t, mysqld_db_t, system_dbusd_var_run_t, postgresql_var_run_t,
winbind_var_run_t, postgresql_tmp_t, devlog_t, httpd_cobbler_rw_content_t,
httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, nscd_var_run_t,
pcscd_var_run_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t,
httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t,
httpd_user_rw_content_t. You can look at the httpd_selinux man page for
additional information.
Additional Information:
Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/local/nfsen/var/run/nfsen.comm [ sock_file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           httpd-2.2.15-5.el6.centos
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-54.el6_0.5
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     csn.tugriceri.com
Platform                      Linux csn.tugriceri.com
                              2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
                              19:49:27 BST 2011 x86_64 x86_64
Alert Count                   8
First Seen                    Tue Mar  6 14:02:04 2012
Last Seen                     Tue Mar  6 14:38:35 2012
Local ID                      8433f07d-91df-46a0-ba75-5228a1a1180a
Line Numbers                  7, 8, 43, 44, 75, 76, 87, 88, 119, 120, 155, 156,
                              251, 252, 257, 258
Raw Audit Messages
type=AVC msg=audit(1331037515.880:4652026): avc: denied { write } for pid=4402 comm=”httpd” name=”nfsen.comm” dev=dm-2 ino=23992283 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1331037515.880:4652026): arch=c000003e syscall=42 success=no exit=-13 a0=1a a1=7fffd0623350 a2=25 a3=632e6e6573666e2f items=0 ppid=4398 pid=4402 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=236800 comm=”httpd” exe=”/usr/sbin/httpd” subj=unconfined_u:system_r:httpd_t:s0 key=(null)
[root@legion ~]# grep httpd /var/log/audit/audit.log | audit2allow -M tugriceri_http
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i tugriceri_http.pp


