Hi,
I've got httpd running on CentOS-5 with all the latest update.
I'm getting the following AVC denied messages from SElinux. Now I don't want to disable SElinux for the httpd daemon as this server will be available on the internet.
1.
[root@alpha ~]# sealert -l 8c3ce37b-fbf3-459b-87d9-e4c4727276eb Summary SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to <Unknown> (httpd_t).
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown>.
Raw Audit Messages
avc: denied { sys_nice } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=2241 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0 suid=0 tclass=capability tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0
2.
[root@alpha ~]# sealert -l 87d837ba-bae0-4cbc-8a93-344e6dc67295 Summary SELinux is preventing the /bin/netstat from using potentially mislabeled files net (proc_net_t).
Detailed Description SELinux has denied the /bin/netstat access to potentially mislabeled files net. This means that SELinux will not allow http to use these files. Many third party apps install html files in directories that SELinux policy can not predict. These directories have to be labeled with a file context which httpd can accesss.
Allowing Access If you want to change the file context of net so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t.net. You can look at the httpd_selinux man page for additional information.
Raw Audit Messages
avc: denied { read } for comm="netstat" dev=proc egid=0 euid=0 exe="/bin/netstat" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=2255 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0
3.
[root@alpha ~]# sealert -l b6d8bb36-32f7-4b10-9c09-331c6298fede Summary SELinux is preventing /bin/netstat (httpd_t) "create" access to <Unknown> (httpd_t).
Raw Audit Messages
avc: denied { create } for comm="netstat" egid=0 euid=0 exe="/bin/netstat" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2255 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0 suid=0 tclass=socket tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0
The test server seems to be working OK, so are these messages I can safely ignore. Alternatively how can I get rid of them without disaling SElinux for the httpd server.
Regards,
Tony
On Wed, 2007-05-30 at 11:36 +0100, Tony Molloy wrote:
Hi,
I've got httpd running on CentOS-5 with all the latest update.
I'm getting the following AVC denied messages from SElinux. Now I don't want to disable SElinux for the httpd daemon as this server will be available on the internet.
[root@alpha ~]# sealert -l 8c3ce37b-fbf3-459b-87d9-e4c4727276eb
Summary
SELinux is preventing /usr/sbin/httpd (httpd_t) "sys_nice" access to
<Unknown> (httpd_t).
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try
to restore the default system file context for <Unknown>,
restorecon -v <Unknown>.
Raw Audit Messages
avc: denied { sys_nice } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=2241
scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0
suid=0 tclass=capability tcontext=system_u:system_r:httpd_t:s0 tty= (none) uid=0
Are you trying to set the nice level here?
[root@alpha ~]# sealert -l 87d837ba-bae0-4cbc-8a93-344e6dc67295
Summary
SELinux is preventing the /bin/netstat from using potentially
mislabeled files net (proc_net_t).
Detailed Description
SELinux has denied the /bin/netstat access to potentially mislabeled
files net. This means that SELinux will not allow http to use these
files. Many third party apps install html files in directories that
SELinux policy can not predict. These directories have to be labeled
with a file context which httpd can accesss.
Allowing Access
If you want to change the file context of net so that the httpd daemon
can access it, you need to execute it using
chcon -t httpd_sys_content_t.net.
You can look at the httpd_selinux man page for additional information.
Raw Audit Messages
avc: denied { read } for comm="netstat" dev=proc egid=0 euid=0
exe="/bin/netstat" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=2255 scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0
suid=0 tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0
Is netstat mislabeled, or is the web server trying to get to /proc/net? What does `ls -Z /bin/netstat` show?
[root@alpha ~]# sealert -l b6d8bb36-32f7-4b10-9c09-331c6298fede
Summary
SELinux is preventing /bin/netstat (httpd_t) "create" access to
<Unknown> (httpd_t).
Raw Audit Messages
avc: denied { create } for comm="netstat" egid=0 euid=0 exe="/bin/netstat"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2255
scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0
suid=0 tclass=socket tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0
The test server seems to be working OK, so are these messages I can safely ignore. Alternatively how can I get rid of them without disaling SElinux for the httpd server.
I am curious about these netstat errors. Are you running something on your web server that is running netstat? It is fairly easy to setup some rules to ignore these errors, but you should investigate them first.
Forrest
selinux@lists.fedoraproject.org