selinux denying access to "unknown"
John Oliver
joliver at john-oliver.net
Mon Feb 23 17:53:14 UTC 2009
System is a fresh install of RHEL 5.2
[root at testbed ~]# service httpd start
Starting httpd: [FAILED]
[root at testbed ~]# tail -1 /var/log/messages
Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing
/usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
For complete SELinux messages. run sealert -l
bda3d483-5ff5-4465-a9af-c2896cd7adb0
[root at testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
Summary
SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access
to
<Unknown> (httpd_t).
Detailed Description
SELinux denied access requested by /usr/sbin/httpd. It is not
expected that
this access is required by /usr/sbin/httpd and this access may
signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown>. There is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access
- see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you
can
disable SELinux protection entirely for the application. Disabling
SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Changing the "httpd_disable_trans" boolean to true will disable
SELinux
protection this application: "setsebool -P httpd_disable_trans=1."
The following command will allow this access:
setsebool -P httpd_disable_trans=1
Additional Information
Source Context root:system_r:httpd_t:s0
Target Context root:system_r:httpd_t:s0
Target Objects None [ process ]
Affected RPM Packages httpd-2.2.3-6.el5 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.disable_trans
Host Name testbed
Platform Linux testbed
2.6.18-8.el5 #1
SMP Fri Jan 26 14:15:21 EST 2007 i686 i686
Alert Count 2
Line Numbers
Raw Audit Messages
avc: denied { execstack } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177
scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0
tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
How am I supposed to figure out what it's unhappy about if it won't tell
me?
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
More information about the fedora-selinux-list
mailing list