Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 06-15-2010, 03:03 AM   #1
Registered: Aug 2009
Posts: 182

Rep: Reputation: 15
SELinux hell: Preventig access to httpd

Hey i am developing some php on a local Apache server i am running Fedora 12 and i keep getting this error messages from SELinux


SELinux is preventing /usr/sbin/httpd "read" access to


Detailed Description:

SELinux denied access requested by httpd. /var/www/projects/php/index.php may be

a mislabeled. /var/www/projects/php/index.php default SELinux type is

httpd_sys_content_t, but its current type is user_home_t. Changing this file

back to the default type, may fix your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent

    directory by default.

  * The SELinux policy might override the default label inherited from the

    parent directory by specifying a process running in context A which creates

    a file in a directory labeled B will instead create the file with label C.

    An example of this would be the dhcp client running with the dhclient_t type

    and creating a file in the directory /etc. This file would normally receive

    the etc_t type due to parental inheritance but instead the file is labeled

    with the net_conf_t type because the SELinux policy specifies this.

  * Users can change the file context on a file using tools such as chcon, or


This file could have been mislabeled either by user error, or if an normally

confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not

have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the

restorecon command. restorecon '/var/www/projects/php/index.php', if this file

is a directory, you can recursively restore using restorecon -R


Fix Command:

/sbin/restorecon '/var/www/projects/php/index.php'

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0

Target Context                unconfined_u:object_r:user_home_t:s0

Target Objects                /var/www/projects/php/index.php [ file ]

Source                        httpd

Source Path                   /usr/sbin/httpd

Port                          <Unknown>

Host                          thinkpad

Source RPM Packages           httpd-2.2.15-1.fc12.2

Target RPM Packages           

Policy RPM                    selinux-policy-3.6.32-116.fc12

Selinux Enabled               True

Policy Type                   targeted

Enforcing Mode                Enforcing

Plugin Name                   restorecon

Host Name                     thinkpad

Platform                      Linux thinkpad #1 SMP

                              Fri Apr 30 19:46:25 UTC 2010 x86_64 x86_64

Alert Count                   56

First Seen                    Mon 14 Jun 2010 11:21:38 AM CEST

Last Seen                     Mon 14 Jun 2010 02:02:56 PM CEST

Local ID                      ********************************
Line Numbers                  

Raw Audit Messages            

node=thinkpad type=AVC msg=audit(1276516976.54:22125): avc:  denied  { read } for  pid=2805 comm="httpd" name="index.php" dev=dm-0 ino=789248 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=thinkpad type=SYSCALL msg=audit(1276516976.54:22125): arch=c000003e syscall=2 success=no exit=-13 a0=7f8eef2c2328 a1=0 a2=1b6 a3=7068702e786564 items=0 ppid=2799 pid=2805 auid=500 uid=48 gid=487 euid=48 suid=48 fsuid=48 egid=487 sgid=487 fsgid=487 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
I have temporarily disabled it with this command

echo 0 >/selinux/enforce
I have tried to use the suggested fix in the SELinux alert but it keeps coming back.

How do i fix this problem ?

Old 06-15-2010, 03:26 AM   #2
Senior Member
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
audit2allow could help convert the raw messages into SELinux rules.

The fact that it mentions the user_home context, suggests that the index.php file is in your user home. Maybe moving the website root to say
/var/www could help?

Is there anything on this mentioned on the web pages?
Old 06-15-2010, 05:46 AM   #3
Registered: Aug 2009
Posts: 182

Original Poster
Rep: Reputation: 15
The files....

the files reside in var/www/projects/php

its working fine as long as i have disabled SELinux

the httpd.conf and php.ini is configured correctly.

Old 06-15-2010, 06:08 AM   #4
Senior Member
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
Yes, you're right, now I see the /var/www path in the posted SELinux message.
Does it work when SELinux is enabled but permissive?

What does the selinux default contexts (/etc/selinux/...) say for files?

restorecon -R /var/www

Can you post the output of (run as root or from /usr/sbin/)
getsebool -a
Old 06-16-2010, 02:01 PM   #5
Registered: Aug 2009
Posts: 182

Original Poster
Rep: Reputation: 15
Originally Posted by timmeke View Post
Yes, you're right, now I see the /var/www path in the posted SELinux message.
Does it work when SELinux is enabled but permissive?

What does the selinux default contexts (/etc/selinux/...) say for files?

restorecon -R /var/www

Can you post the output of (run as root or from /usr/sbin/)
getsebool -a
Yes its working when i set SELinux to permissive.

Output from getsebool -a

[root@thinkpad user]# getsebool -a
allow_console_login --> off
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on
allow_execmod --> off
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_guest_exec_content --> off
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
allow_java_execstack --> off
allow_kerberos --> on
allow_mount_anyfile --> on
allow_mplayer_execstack --> off
allow_nfsd_anon_write --> off
allow_nsplugin_execmem --> on
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> on
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_unconfined_nsplugin_transition --> off
allow_unconfined_qemu_transition --> off
allow_user_exec_content --> on
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_xguest_exec_content --> off
allow_xserver_execmem --> off
allow_ypbind --> off
allow_zebra_write_config --> on
cdrecord_read_content --> off
cobbler_anon_write --> off
cron_can_relabel --> off
domain_kernel_load_modules --> off
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
ftp_home_dir --> off
ftpd_connect_db --> off
git_session_bind_all_unreserved_ports --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
global_ssp --> off
gpg_agent_env_file --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> on
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
init_upstart --> on
mmap_low_allowed --> off
mozilla_read_content --> off
mysql_connect_any --> off
nagios_plugin_dontaudit_bind_port --> off
named_write_master_zones --> off
nfs_export_all_ro --> on
nfs_export_all_rw --> on
nscd_use_shm --> on
nsplugin_can_network --> on
openvpn_enable_homedirs --> on
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_comm --> off
qemu_use_nfs --> on
qemu_use_usb --> on
racoon_read_shadow --> off
rgmanager_can_network_connect --> off
rsync_client --> off
rsync_export_all_ro --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
sepgsql_enable_users_ddl --> on
sftp_enable_homedirs --> off
sftpd_anon_write --> off
sftpd_full_access --> off
sftpd_write_ssh_home --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> off
squid_use_tproxy --> off
ssh_sysadm_login --> off
tftp_anon_write --> off
tor_bind_all_unreserved_ports --> off
unconfined_login --> on
use_lpd_server --> off
use_nfs_home_dirs --> on
use_samba_home_dirs --> off
user_direct_dri --> on
user_direct_mouse --> off
user_ping --> on
user_rw_noexattrfile --> on
user_tcp_server --> off
user_ttyfile_stat --> off
varnishd_connect_any --> off
vbetool_mmap_zero_ignore --> off
virt_manage_sysfs --> off
virt_use_comm --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sysfs --> off
virt_use_usb --> on
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_sysadm_login --> off
xen_use_nfs --> off
xguest_connect_network --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_object_manager --> off
[root@thinkpad user]#
Old 06-16-2010, 05:32 PM   #6
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
If after running the above 'restorecon' command running
find /var/www/projects -context user_u:object_r:user_home_t -printf '%Z %p\n
still returns items, then running
find /var/www/projects -context user_u:object_r:user_home_t -printf '%p\n|xargs -iX chcon system_u:object_r:httpd_sys_content_t 'X'
should change context (like 'restorecon' would). Verify with
ls -alZ /var/www/projects/php/
all the way back to "/var/www" to check all context is as it should be. Restart the web server then
tail -f /var/log/audit/audit.log
as you access the files to see if any *new* AVC messages appear.

Last edited by unSpawn; 06-16-2010 at 05:34 PM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux preventing httpd run ps -ef for zabbix processes nikhilbe Linux - Enterprise 4 04-08-2009 03:52 AM
httpd access with selinux enforce mode, restriction issues. rajnishmishra Linux - Security 3 08-19-2008 03:46 PM
SElinux causing Apache/httpd problem on Fedora 6 badengineer Linux - Security 1 06-04-2007 10:47 AM
selinux with vsftpd and httpd swpr Linux - Security 4 06-28-2006 05:49 AM
httpd-selinux. Real pleasure. Who can explain this? mazonka Linux - Software 2 11-24-2005 03:26 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:10 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration