View Issue Details

IDProjectCategoryView StatusLast Update
0016781CentOS-7selinux-policypublic2019-11-28 17:57
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionwon't fix 
PlatformOSOS Version7
Product Version 
Target VersionFixed in Version 
Summary0016781: SELinux is preventing /usr/sbin/httpd from 'getattr' accesses on the file /etc/shadow.
DescriptionDescription of problem:
SELinux is preventing /usr/sbin/httpd from 'getattr' accesses on the file /etc/shadow.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that httpd should be allowed getattr access on the shadow file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c '/usr/sbin/httpd' --raw | audit2allow -M my-usrsbinhttpd
# semodule -i my-usrsbinhttpd.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:shadow_t:s0
Target Objects /etc/shadow [ file ]
Source /usr/sbin/httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host (removed)
Source RPM Packages httpd-2.4.6-90.el7.centos.x86_64
Target RPM Packages setup-2.8.71-10.el7.noarch
Policy RPM selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.10.0-1062.4.1.el7.x86_64 #1 SMP
                              Fri Oct 18 17:15:30 UTC 2019 x86_64 x86_64
Alert Count 2
First Seen 2019-11-28 22:28:35 IST
Last Seen 2019-11-28 22:28:50 IST
Local ID 9ef2da19-75cd-4d9a-96d6-8149f309c6eb

Raw Audit Messages
type=AVC msg=audit(1574960330.621:367): avc: denied { getattr } for pid=2811 comm="/usr/sbin/httpd" path="/etc/shadow" dev="dm-0" ino=68425652 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0 tclass=file permissive=0

type=SYSCALL msg=audit(1574960330.621:367): arch=x86_64 syscall=fstat success=no exit=EACCES a0=a a1=7ffd4b047030 a2=7ffd4b047030 a3=0 items=0 ppid=1 pid=2811 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=/usr/sbin/httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: /usr/sbin/httpd,httpd_t,shadow_t,file,getattr

Version-Release number of selected component:
Additional Informationreporter: libreport-
hashmarkername: setroubleshoot
kernel: 3.10.0-1062.4.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.




2019-11-28 17:57

manager   ~0035777

This is not a bug but you should look at what your system is doing. I can think of no circumstances under which I would want apache httpd to be trying to read /etc/shadow. It sounds extremely suspicious.

Issue History

Date Modified Username Field Change
2019-11-28 17:38 rakesh4osdd New Issue
2019-11-28 17:57 TrevorH Status new => closed
2019-11-28 17:57 TrevorH Resolution open => won't fix
2019-11-28 17:57 TrevorH Note Added: 0035777