madsovenielsen |
06-15-2010 03:03 AM |
SELinux hell: Preventig access to httpd
Hey i am developing some php on a local Apache server i am running Fedora 12 and i keep getting this error messages from SELinux
Code:
Summary:
SELinux is preventing /usr/sbin/httpd "read" access to
/var/www/projects/php/index.php.
Detailed Description:
SELinux denied access requested by httpd. /var/www/projects/php/index.php may be
a mislabeled. /var/www/projects/php/index.php default SELinux type is
httpd_sys_content_t, but its current type is user_home_t. Changing this file
back to the default type, may fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the dhclient_t type
and creating a file in the directory /etc. This file would normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/var/www/projects/php/index.php', if this file
is a directory, you can recursively restore using restorecon -R
'/var/www/projects/php/index.php'.
Fix Command:
/sbin/restorecon '/var/www/projects/php/index.php'
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /var/www/projects/php/index.php [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host thinkpad
Source RPM Packages httpd-2.2.15-1.fc12.2
Target RPM Packages
Policy RPM selinux-policy-3.6.32-116.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name thinkpad
Platform Linux thinkpad 2.6.32.12-115.fc12.x86_64 #1 SMP
Fri Apr 30 19:46:25 UTC 2010 x86_64 x86_64
Alert Count 56
First Seen Mon 14 Jun 2010 11:21:38 AM CEST
Last Seen Mon 14 Jun 2010 02:02:56 PM CEST
Local ID ********************************
Line Numbers
Raw Audit Messages
node=thinkpad type=AVC msg=audit(1276516976.54:22125): avc: denied { read } for pid=2805 comm="httpd" name="index.php" dev=dm-0 ino=789248 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
node=thinkpad type=SYSCALL msg=audit(1276516976.54:22125): arch=c000003e syscall=2 success=no exit=-13 a0=7f8eef2c2328 a1=0 a2=1b6 a3=7068702e786564 items=0 ppid=2799 pid=2805 auid=500 uid=48 gid=487 euid=48 suid=48 fsuid=48 egid=487 sgid=487 fsgid=487 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
I have temporarily disabled it with this command
Code:
echo 0 >/selinux/enforce
I have tried to use the suggested fix in the SELinux alert but it keeps coming back.
How do i fix this problem ?
/mads
|