On 12/07/2010 07:36 AM, Benjamin Franz wrote:
On 12/06/2010 06:47 AM, Daniel J Walsh wrote:
I agree, and would like to look at the AVC's to understand what could have broken the labeling
Well - since it happened again this morning, here you go. On further investigation in backups, I previously had the user account that I use for the FTP based update with its home directory set to a location inside the /var/www/html tree. Since that unknowingly passed this rule, it silently worked. It was changed to a /home/ based directory instead a while ago - tripping this rule. But not consistently: FTP appears to at least partially work outside the home tree even with the rule active.
I *really* dislike landmines when doing routine system tasks.
Ok. SELinux blew up something else that was previously working on that machine (yes - I've already done something to fix it for now. I don't need anyone saying 'well run sealert'. Been there - done that. Things are running now.) This repeated time suckage is why people routinely turn it off.
sealert -l e6e017f5-9c2b-4e7b-895e-51a232042588
Summary:
SELinux is preventing the httpd from using potentially mislabeled files /var/XXXXXXXXXX/misc/manage_clients/config.xml (var_t).
Detailed Description:
SELinux has denied the httpd access to potentially mislabeled files /var/XXXXXXXXXX/misc/manage_clients/config.xml. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access.
Allowing Access:
If you want to change the file context of /var/XXXXXXXXXX/misc/manage_clients/config.xml so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/XXXXXXXXXX/misc/manage_clients/config.xml'. You can look at the httpd_selinux man page for additional information.
Additional Information:
Source Context system_u:system_r:httpd_t Target Context user_u:object_r:var_t Target Objects /var/XXXXXXXXXX/misc/manage_clients/config.xml [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host XXXXXXXXXX Source RPM Packages httpd-2.2.3-43.el5.centos.3 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name XXXXXXXXXX Platform Linux XXXXXXXXXX 2.6.18-194.26.1.el5 #1 SMP Tue Nov 9 12:54:40 EST 2010 i686 i686 Alert Count 3 First Seen Mon Apr 26 10:20:36 2010 Last Seen Tue Dec 7 07:38:17 2010 Local ID e6e017f5-9c2b-4e7b-895e-51a232042588 Line Numbers
Raw Audit Messages
host=XXXXXXXXXX type=AVC msg=audit(1291736297.720:6786): avc: denied { getattr } for pid=21363 comm="httpd" path="/var/XXXXXXXXXX/misc/manage_clients/config.xml" dev=dm-0 ino=5355222 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_t:s0 tclass=file
host=XXXXXXXXXX type=SYSCALL msg=audit(1291736297.720:6786): arch=40000003 syscall=195 success=no exit=-13 a0=82e7380 a1=8297c68 a2=296ff4 a3=82e7380 items=0 ppid=3398 pid=21363 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)