From 40c510d1f0e1bed46067a0f8bcf2a64643a8c77e Mon Sep 17 00:00:00 2001 From: Miroslav Suchý Date: Jan 02 2014 19:33:15 +0000 Subject: [selinux] allow httpd to search addressing on backend: type=AVC msg=audit(1387251546.943:10389): avc: denied { search } for pid=542 comm="lighttpd" name="langdon" dev="vdb1" ino=16777224 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387273219.978:10532): avc: denied { search } for pid=542 comm="lighttpd" name="sergiopr" dev="vdb1" ino=17564261 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387275348.414:10561): avc: denied { search } for pid=542 comm="lighttpd" name="tflink" dev="vdb1" ino=17433025 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387278164.848:10585): avc: denied { search } for pid=542 comm="lighttpd" name="remi" dev="vdb1" ino=16777230 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387285183.471:10630): avc: denied { search } for pid=542 comm="lighttpd" name="sgallagh" dev="vdb1" ino=18219434 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=SYSCALL msg=audit(1387285183.471:10630): arch=c000003e syscall=4 success=no exit=-2 a0=81f570 a1=7fff9332dae0 a2=7fff9332dae0 a3=798e00 items=0 ppid=1 pid=542 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1387289456.148:10858): avc: denied { search } for pid=542 comm="lighttpd" name="mstuchli" dev="vdb1" ino=17696341 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387291992.816:10929): avc: denied { search } for pid=542 comm="lighttpd" name="fabiand" dev="vdb1" ino=16777219 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387310505.377:11106): avc: denied { search } for pid=542 comm="lighttpd" name="sgallagh" dev="vdb1" ino=18219434 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=SYSCALL msg=audit(1387310505.377:11106): arch=c000003e syscall=4 success=no exit=-2 a0=80b660 a1=7fff9332dae0 a2=7fff9332dae0 a3=7f3edeacfc90 items=0 ppid=1 pid=542 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1387314322.000:11177): avc: denied { search } for pid=542 comm="lighttpd" name="msuchy" dev="vdb1" ino=16777227 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387363436.716:12870): avc: denied { search } for pid=542 comm="lighttpd" name="howcanuhavemyusername" dev="vdb1" ino=17432721 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387371840.433:13028): avc: denied { search } for pid=542 comm="lighttpd" name="timlau" dev="vdb1" ino=16908683 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387375455.291:13099): avc: denied { search } for pid=542 comm="lighttpd" name="james" dev="vdb1" ino=16777221 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=SYSCALL msg=audit(1387375455.291:13099): arch=c000003e syscall=4 success=no exit=-2 a0=8284a0 a1=7fff9332dae0 a2=7fff9332dae0 a3=7f3edead0140 items=0 ppid=1 pid=542 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1387399498.354:13184): avc: denied { search } for pid=542 comm="lighttpd" name="howcanuhavemyusername" dev="vdb1" ino=17432721 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387400858.527:13234): avc: denied { search } for pid=542 comm="lighttpd" name="howcanuhavemyusername" dev="vdb1" ino=17432721 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387402326.759:13277): avc: denied { search } for pid=542 comm="lighttpd" name="timlau" dev="vdb1" ino=16908683 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387403177.681:13322): avc: denied { search } for pid=542 comm="lighttpd" name="howcanuhavemyusername" dev="vdb1" ino=17432721 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=AVC msg=audit(1387424738.437:14921): avc: denied { search } for pid=542 comm="lighttpd" name="fabiand" dev="vdb1" ino=16777219 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:copr_data_t:s0 tclass=dir type=SYSCALL msg=audit(1387424738.437:14921): arch=c000003e syscall=4 success=no exit=-2 a0=81e230 a1=7fff9332db20 a2=7fff9332db20 a3=7f3edead0410 items=0 ppid=1 pid=542 auid=4294967295 uid=998 gid=997 euid=998 suid=998 fsuid=998 egid=997 sgid=997 fsgid=997 ses=4294967295 tty=(none) comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null) --- diff --git a/selinux/copr.te b/selinux/copr.te index ba7eb17..c110b3b 100644 --- a/selinux/copr.te +++ b/selinux/copr.te @@ -21,6 +21,5 @@ type copr_httpd_log_t; logging_log_file(copr_httpd_log_t); #============= httpd_t ============== -allow httpd_t copr_data_t:dir { write getattr read remove_name open add_name create rmdir}; +allow httpd_t copr_data_t:dir { write getattr read remove_name open add_name create rmdir search}; allow httpd_t copr_data_t:file { rename write getattr read create open lock unlink}; -