NFSEN SELinux Permission
by Emre Tugriceri on Mar.06, 2012, under SELinux
Summary:
SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
/var/local/nfsen/var/run/nfsen.comm.
Detailed Description:
SELinux has denied the httpd access to potentially mislabeled files
/var/local/nfsen/var/run/nfsen.comm. This means that SELinux will not allow
httpd to use these files. If httpd should be allowed this access to these files
you should change the file context to one of the following types,
lsassd_var_socket_t, abrt_var_run_t, httpd_tmpfs_t, setrans_var_run_t,
avahi_var_run_t, mysqld_var_run_t, httpd_var_run_t, nscd_var_run_t,
nslcd_var_run_t, slapd_var_run_t, sssd_var_lib_t, mysqld_db_t,
system_dbusd_var_run_t, postgresql_var_run_t, winbind_var_run_t,
postgresql_tmp_t, devlog_t, httpd_cobbler_rw_content_t,
httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, nscd_var_run_t,
pcscd_var_run_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t,
httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t,
httpd_user_rw_content_t. Many third party apps install html files in directories
that SELinux policy cannot predict. These directories have to be labeled with a
file context which httpd can access.
Allowing Access:
If you want to change the file context of /var/local/nfsen/var/run/nfsen.comm so
that the httpd daemon can access it, you need to execute it using semanage
fcontext -a -t FILE_TYPE ‘/var/local/nfsen/var/run/nfsen.comm’.
where FILE_TYPE is one of the following: lsassd_var_socket_t, abrt_var_run_t,
httpd_tmpfs_t, setrans_var_run_t, avahi_var_run_t, mysqld_var_run_t,
httpd_var_run_t, nscd_var_run_t, nslcd_var_run_t, slapd_var_run_t,
sssd_var_lib_t, mysqld_db_t, system_dbusd_var_run_t, postgresql_var_run_t,
winbind_var_run_t, postgresql_tmp_t, devlog_t, httpd_cobbler_rw_content_t,
httpd_munin_rw_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_rw_content_t,
httpd_git_rw_content_t, httpd_sys_rw_content_t, httpd_nagios_rw_content_t,
httpd_nutups_cgi_rw_content_t, httpd_squid_rw_content_t, nscd_var_run_t,
pcscd_var_run_t, httpd_smokeping_cgi_rw_content_t,
httpd_apcupsd_cgi_rw_content_t, httpd_prewikka_rw_content_t,
httpd_awstats_rw_content_t, httpd_w3c_validator_rw_content_t,
httpd_user_rw_content_t. You can look at the httpd_selinux man page for
additional information.
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/local/nfsen/var/run/nfsen.comm [ sock_file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host <Unknown>
Source RPM Packages httpd-2.2.15-5.el6.centos
Target RPM Packages
Policy RPM selinux-policy-3.7.19-54.el6_0.5
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name httpd_bad_labels
Host Name csn.tugriceri.com
Platform Linux csn.tugriceri.com
2.6.32-71.29.1.el6.x86_64 #1 SMP Mon Jun 27
19:49:27 BST 2011 x86_64 x86_64
Alert Count 8
First Seen Tue Mar 6 14:02:04 2012
Last Seen Tue Mar 6 14:38:35 2012
Local ID 8433f07d-91df-46a0-ba75-5228a1a1180a
Line Numbers 7, 8, 43, 44, 75, 76, 87, 88, 119, 120, 155, 156,
251, 252, 257, 258
Raw Audit Messages
type=AVC msg=audit(1331037515.880:4652026): avc: denied { write } for pid=4402 comm=”httpd” name=”nfsen.comm” dev=dm-2 ino=23992283 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1331037515.880:4652026): arch=c000003e syscall=42 success=no exit=-13 a0=1a a1=7fffd0623350 a2=25 a3=632e6e6573666e2f items=0 ppid=4398 pid=4402 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=236800 comm=”httpd” exe=”/usr/sbin/httpd” subj=unconfined_u:system_r:httpd_t:s0 key=(null)
[root@legion ~]# grep httpd /var/log/audit/audit.log | audit2allow -M tugriceri_http
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i tugriceri_http.pp
