Hi,

I've got httpd running on CentOS-5 with all the latest update.

I'm getting the following AVC denied messages from SElinux. Now I don't want to disable SElinux for the httpd daemon as this server will be available on the internet.

1.

[root@alpha ~]# sealert -l 8c3ce37b-fbf3-459b-87d9-e4c4727276eb

Summary

SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to

<Unknown> (httpd_t).

Allowing Access

Sometimes labeling problems can cause SELinux denials. You could try

to restore the default system file context for <Unknown>,

restorecon -v <Unknown>.

Raw Audit Messages

avc: denied { sys_nice } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd"

exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=2241

scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0

suid=0 tclass=capability tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0

2.

[root@alpha ~]# sealert -l 87d837ba-bae0-4cbc-8a93-344e6dc67295

Summary

SELinux is preventing the /bin/netstat from using potentially

mislabeled files net (proc_net_t).

Detailed Description

SELinux has denied the /bin/netstat access to potentially mislabeled

files net. This means that SELinux will not allow http to use these

files. Many third party apps install html files in directories that

SELinux policy can not predict. These directories have to be labeled

with a file context which httpd can accesss.

Allowing Access

If you want to change the file context of net so that the httpd daemon

can access it, you need to execute it using

chcon -t httpd_sys_content_t.net.

You can look at the httpd_selinux man page for additional information.

Raw Audit Messages

avc: denied { read } for comm="netstat" dev=proc egid=0 euid=0

exe="/bin/netstat" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=2255 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0

suid=0 tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0

3.

[root@alpha ~]# sealert -l b6d8bb36-32f7-4b10-9c09-331c6298fede

Summary

SELinux is preventing /bin/netstat (httpd_t) "create" access to

<Unknown> (httpd_t).

Raw Audit Messages

avc: denied { create } for comm="netstat" egid=0 euid=0 exe="/bin/netstat"

exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2255

scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0

suid=0 tclass=socket tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0

The test server seems to be working OK, so are these messages I can safely ignore. Alternatively how can I get rid of them without disaling SElinux for the httpd server.

Regards,

Tony

--

Tony Molloy.

System Manager.

Dept. of Comp. Sci.

University of Limerick