pl find below logs. can you please help me to analyse logs.

kernel: type=1400 audit(1319525689.800:13979617): avc: denied { getopt } for pid=16179 comm="httpd" laddr=209.x.x.x lport=52106 faddr=209.x.x.x fport=443 scontext=user_u:system_r:bootloader_t:s0 tcontext=user_u:system_r:bootloader_t:s0 tclass=tcp_socket

PS:IP addresses are changed for security reason.

Vitthal

First of all make sure you have granted httpd all security permission and grants: http://wiki.eri.ucsb.edu/sysadm/SELinux#HTTPD
Second: it's possible that a script (php, cgi etc) invokes a httpd legit function that it's blocked by SELinux.
Third: a Whois of the IP Address is often useul to check if the IP Address is in some blacklist.
The strange thing is the context of httpd: "user_u:system_r:bootloader_t:s0" why httpd has bootloader context access? Maybe it's really a kind of attack trying to access boot sector or bootloader or maybe, there's a misconfiguration in httpd or the problem happens at boot time during init (?!?).

1 members found this post helpful.

Hi Slackyman,

Thanks for reply. Can u pl tel me is it better idea to stop SElinux if the servers are protected by network firewall.

vitthal

Hi Slackyman,

Thanks for reply. Can u pl tel me is it better idea to stop SElinux if the servers are protected by network firewall.

vitthal

I don't think that stopping SELinux is a great idea if the firewall is not well-configured.
I mean: I use Slackware without SELinux but I use iptables and my system keep a trace of any incoming and outcoming connection so that I can inspect what's happening and re-arrange my configuration but if you use Fedora or CentOS or any other distro using it I suggest you to keep it working.

...looks like the wrong context to me for the web server. Should be httpd_.* AFAIK.