Fedora Linux Support Community & Resources Center
  #1  
Old 9th December 2011, 07:21 PM
Pitfall Offline
Registered User
 
Join Date: Nov 2011
Location: the Netherlands
Posts: 67
linuxfirefox
SELinux preventing write access

Hi guys,

I'm trying to get my httpd server running on my Fedora 16 Desktop, but there's a problem.
SELinux is preventing write access to a directory.

This is my error:
SELinux is preventing /usr/sbin/httpd from write access on the directory pages.

***** Plugin httpd_write_content (92.2 confidence) suggests ****************

If you want to allow httpd to have write access on the pages directory
Then you need to change the label on 'pages'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'pages'
# restorecon -v 'pages'

***** Plugin catchall_boolean (7.83 confidence) suggests *******************

If you want to unify HTTPD handling of all content files.
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
Do
setsebool -P httpd_unified 1

***** Plugin catchall (1.41 confidence) suggests ***************************

If you believe that httpd should be allowed write access on the pages directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects pages [ dir ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host fedoraPC
Source RPM Packages httpd-2.2.21-1.fc16
Target RPM Packages
Policy RPM selinux-policy-3.10.0-64.fc16
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fedoraPC
Platform Linux fedoraPC 3.1.4-1.fc16.x86_64 #1 SMP Tue Nov
29 11:37:53 UTC 2011 x86_64 x86_64
Alert Count 13
First Seen Fri 09 Dec 2011 07:52:50 PM CET
Last Seen Fri 09 Dec 2011 08:08:46 PM CET
Local ID 97b65e63-c19a-4b37-b59b-3a8e63daa7b5

Raw Audit Messages
type=AVC msg=audit(1323457726.325:257): avc: denied { write } for pid=24139 comm="httpd" name="pages" dev=sda2 ino=1574531 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t :s0 tclass=dir


type=SYSCALL msg=audit(1323457726.325:257): arch=x86_64 syscall=open success=no exit=EACCES a0=7faa18b973f8 a1=241 a2=1b6 a3=7fff4e2d75a0 items=0 ppid=24137 pid=24139 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,httpd_sys_content_t,dir,write

audit2allow

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_sys_content_t:dir write;

audit2allow -R

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_sys_content_t:dir write;


Things i tried to fix the issue:
  • allow_httpd_anon_write -> true
  • chmod 777
  • First suggestion


Could someone help me out with this problem?

Thanks.
__________________
Desktop: i3 540, GT430, Fedora 17 x86_64 KDE
Netbook: E-450, HD 6230, Fedora 17 x86_64 KDE
Reply With Quote
  #2  
Old 9th December 2011, 07:34 PM
Sagitter Offline
Registered User
 
Join Date: Sep 2009
Location: Salento - Italy
Age: 33
Posts: 520
linuxfirefox
Re: SELinux preventing write access

Quote:
***** Plugin httpd_write_content (92.2 confidence) suggests ****************

If you want to allow httpd to have write access on the pages directory
Then you need to change the label on 'pages'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'pages'
# restorecon -v 'pages'
How reported from setroubleshooter, it is a selinux label problem.
__________________
Homepage: http://www.fedoraos.wordpress.com
Wiki page: https://fedoraproject.org/wiki/User:Sagitter
Reply With Quote
  #3  
Old 9th December 2011, 07:40 PM
Skull One Offline
Registered User
 
Join Date: Jun 2010
Location: Lost...
Posts: 1,131
linuxredhatmozilla
Re: SELinux preventing write access

In summary, SELinux only allows write acces for httpd on files and directories labeled 'httpd_sys_rw_content_t'.
Your files have another label, so SELinux complains. You can check the label with the command 'ls -lZ'.

So, you have to set the label to your files to fix the problem:
Code:
chcon -t httpd_sys_rw_content_t <the files>
If you want to add this context to the SELinux policy, the report told you what to do:
Code:
# semanage fcontext -a -t httpd_sys_rw_content_t 'pages'
# restorecon -v 'pages'
where 'pages' are your files, for instance '/var/www/html/myfolder(/.*)?' if your files are in /var/www/html/myfolder.
Beware, this command is for ALL the files in the folder, so adapt it if some of them have to be read only.
__________________
:confused:
Reply With Quote
  #4  
Old 9th December 2011, 08:54 PM
Pitfall Offline
Registered User
 
Join Date: Nov 2011
Location: the Netherlands
Posts: 67
linuxfirefox
Re: SELinux preventing write access

Thanks alot people!

The problem was solved by settting the label for my 'pages' directory.
__________________
Desktop: i3 540, GT430, Fedora 17 x86_64 KDE
Netbook: E-450, HD 6230, Fedora 17 x86_64 KDE
Reply With Quote
Reply

Tags
access, preventing, selinux, write

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
SELinux is preventing /sbin/ifconfig access to a leaked /var/webmin/sessiondb.pag fil vertextao Using Fedora 0 29th November 2010 03:15 AM
SELinux alert-> preventing /bin/bash "write" access to /var/lib/misc/prelink.quick antonyna Security and Privacy 7 17th December 2009 05:37 PM
SELinux is preventing /usr/bin/xauth "write" access on /var/lib/nxserver/home Peter_O Fedora 12 Alpha, Beta & Release Candidates 8 14th November 2009 12:36 PM
SELinux preventing access to tmpfs Milena Using Fedora 0 19th July 2009 11:49 PM
selinux preventing socket file access by CGI Jeff Lanam Security and Privacy 11 25th July 2007 08:59 PM


Current GMT-time: 04:29 (Saturday, 02-08-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat