SELinux... a never ending story!

Joe Orton jorton at
Fri Dec 17 09:55:36 UTC 2004

On Thu, Dec 16, 2004 at 10:50:56PM -0500, Daniel J Walsh wrote:
> Giuseppe Greco wrote:
> >done... and now I get
> >
> >audit(1103229440.677.0): avc: denied { unlink } for pid=2671
> > exe=/usr/sbin/httpd name=ssl_mutex.2670 dev=dm-6 ino=192037
> > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
> > tclass=file

Giuseppe, can you post your /etc/httpd/conf.d/ssl.conf?  This shouldn't
happen in the default mod_ssl configuration.

> ugh,
> Where is this mutex file being created?  In the log dir?  The probem
> with this is it allows a hacker to unlink all the log files, if I
> allow this rule.

mod_ssl (and various other bits of httpd) can be configured to use
various types of semaphore: these will all be SysV semaphores in the
default configuration, but in non-default configurations, can be files
with fcntl locking.  So the rule shouldn't be needed by default, I'm
confused why people are seeing this.


More information about the fedora-selinux-list mailing list