View Issue Details

IDProjectCategoryView StatusLast Update
0014906CentOS-7selinux-policypublic2018-06-05 22:41
Reporteruser135711 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0014906: SELinux is preventing /usr/sbin/httpd from 'write' accesses on the directory /etc/httpd.
DescriptionDescription of problem:
Using default httpd should allow correct permissions to apache
SELinux is preventing /usr/sbin/httpd from 'write' accesses on the directory /etc/httpd.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that httpd should be allowed write access on the httpd directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:httpd_config_t:s0
Target Objects /etc/httpd [ dir ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host (removed)
Source RPM Packages httpd-2.4.33-3.codeit.el7.x86_64
Target RPM Packages httpd-filesystem-2.4.33-3.codeit.el7.noarch
Policy RPM selinux-policy-3.13.1-192.el7_5.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-862.3.2.el7.x86_64 #1 SMP
                              Mon May 21 23:36:36 UTC 2018 x86_64 x86_64
Alert Count 8
First Seen 2018-06-04 15:23:48 EDT
Last Seen 2018-06-05 00:20:54 EDT
Local ID 9d92c302-5060-4f2c-b2a3-57b8cccbd356

Raw Audit Messages
type=AVC msg=audit(1528172454.125:2464): avc: denied { write } for pid=130015 comm="httpd" name="httpd" dev="dm-0" ino=1589441 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir


type=SYSCALL msg=audit(1528172454.125:2464): arch=x86_64 syscall=open success=no exit=EACCES a0=55efbb47e5f8 a1=80441 a2=1b6 a3=7fffda7d05e0 items=0 ppid=1 pid=130015 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,httpd_config_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-192.el7_5.3.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-862.3.2.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hashfc42358dc7236448928dd46e88e7181804a99979056af1385459d8d362cf49b1
URL

Activities

TrevorH

TrevorH

2018-06-05 16:01

manager   ~0032015

This doesn't look like a bug, it looks like selinux just saved your a*** from getting hacked to me.
user135711

user135711

2018-06-05 17:11

reporter   ~0032016

Hmm, I've spent the last day trying to get my first apache site to start and was hoping this might be the problem. Another error when starting httpd in centos: Config variable ${APACHE_LOG_DIR} is not defined
I've found hundreds of answers for Ubuntu but I don't know where centos puts envvars so I can't source the file or know how to solve it. Is this a centos issue?
user135711

user135711

2018-06-05 22:41

reporter   ~0032017

I solved the unrelated Config variable not defined by hard coding the error log location. If you think the permissions are correct then close this. It doesn't look like I have permissions to close my issue.

Issue History

Date Modified Username Field Change
2018-06-05 15:55 user135711 New Issue
2018-06-05 16:01 TrevorH Note Added: 0032015
2018-06-05 17:11 user135711 Note Added: 0032016
2018-06-05 22:41 user135711 Note Added: 0032017