mod_mono_server_global

Daniel J Walsh dwalsh at redhat.com
Mon Jul 14 12:57:14 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Thurman wrote:
> I get this consistenly. What can I do to fix this?
> =====================================
> Summary:
> 
> SELinux is preventing the mono from using potentially mislabeled files
> (mod_mono_server_global).
> 
> Detailed Description:
> 
> SELinux has denied mono access to potentially mislabeled file(s)
> (mod_mono_server_global). This means that SELinux will not allow mono to
> use
> these files. It is common for users to edit files in their home
> directory or tmp
> directories and then move (mv) them to system directories. The problem
> is that
> the files end up with the wrong file context which confined applications
> are not
> allowed to access.
> 
> Allowing Access:
> 
> If you want mono to access this files, you need to relabel them using
> restorecon
> -v 'mod_mono_server_global'. You might want to relabel the entire directory
> using restorecon -R -v '<Unknown>'.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:httpd_t:s0
> Target Context                system_u:object_r:tmp_t:s0
> Target Objects                mod_mono_server_global [ sock_file ]
> Source                        mono
> Source Path                   /usr/bin/mono
> Port                          <Unknown>
> Host                          bronze.cdkkt.com
> Source RPM Packages           mono-core-1.9.1-2.fc9
> Target RPM Packages           Policy RPM                   
> selinux-policy-3.3.1-74.fc9
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   home_tmp_bad_labels
> Host Name                     bronze.cdkkt.com
> Platform                      Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
>                              Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count                   4
> First Seen                    Thu 10 Jul 2008 10:55:05 AM PDT
> Last Seen                     Fri 11 Jul 2008 07:37:33 AM PDT
> Local ID                      96f5392e-305d-47db-8dc8-93a057a25b0e
> Line Numbers                 
> Raw Audit Messages           
> host=bronze.cdkkt.com type=AVC msg=audit(1215787053.571:36): avc: 
> denied  { create } for  pid=8865 comm="mono"
> name="mod_mono_server_global" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
> 
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1215787053.571:36):
> arch=40000003 syscall=102 per=400000 success=no exit=-13 a0=2
> a1=bfc83fe0 a2=823b524 a3=4 items=0 ppid=1 pid=8865 auid=4294967295
> uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="mono" exe="/usr/bin/mono"
> subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can add policy to allow it by using audit2allow.

Why does mod_mono_server_global create sock files in /tmp instead of
/var/run?  System applications should use /var/run instead of /tmp for
creation of temporary files/sockets.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh7TSoACgkQrlYvE4MpobM9GgCbBmHdw/z9+Ic0I9FdUwq3Dx9+
sRgAn1kX8XmZFC4dG6OwkfAxP/8f/8VL
=XADA
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list