#7661 SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/lib/systemd/system/fedora-domainname.service
Closed: fixed 6 years ago Opened 6 years ago by abbra.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1609475

SELinux is preventing /usr/sbin/httpd from getattr access on the file
/usr/lib/systemd/system/fedora-domainname.service.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed getattr access on the
fedora-domainname.service file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -X 300 -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:systemd_unit_file_t:s0
Target Objects                /usr/lib/systemd/system/fedora-domainname.service
                              [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          host.example.test
Source RPM Packages           httpd-2.4.34-3.fc28.x86_64
Target RPM Packages           initscripts-9.80-1.fc28.x86_64
Policy RPM                    selinux-policy-3.14.1-32.fc28.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     host.example.test
Platform                      Linux host.example.test 4.17.9-200.fc28.x86_64 #1
                              SMP Mon Jul 23 21:41:29 UTC 2018 x86_64 x86_64
Alert Count                   12
First Seen                    2018-07-28 04:29:12 EDT
Last Seen                     2018-07-28 04:31:02 EDT
Local ID                      5e3ab204-b8c6-4aa4-a783-31a391e13031

Raw Audit Messages
type=AVC msg=audit(1532766662.725:619): avc:  denied  { getattr } for
pid=31754 comm="httpd" path="/usr/lib/systemd/system/fedora-domainname.service"
dev="dm-0" ino=8738822 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1532766662.725:619): arch=x86_64 syscall=stat success=no
exit=EACCES a0=7f323c4f1730 a1=7fffac0f7d00 a2=7fffac0f7d00 a3=7f323c4f1768
items=1 ppid=31744 pid=31754 auid=4294967295 uid=385 gid=385 euid=385 suid=385
fsuid=385 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm=httpd
exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

type=CWD msg=audit(1532766662.725:619): cwd=/

type=PATH msg=audit(1532766662.725:619): item=0
name=/usr/lib/systemd/system/fedora-domainname.service inode=8738822 dev=fd:00
mode=0100644 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:systemd_unit_file_t:s0 nametype=NORMAL
cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: httpd,httpd_t,systemd_unit_file_t,file,getattr

Version-Release number of selected component (if applicable):
sh$ rpm -q freeipa-server selinux-policy
freeipa-server-4.7.0-1.fc28.x86_64
selinux-policy-3.14.1-36.fc28.noarch

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1609475

6 years ago

Metadata Update from @cheimes:
- Issue assigned to cheimes

6 years ago

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://pagure.io/freeipa/issue/7661

6 years ago

master:

  • b8528da Refactor os-release and platform information
  • 1c03181 Don't check for systemd service

ipa-4-7:

  • bf66c85 Refactor os-release and platform information
  • 0519c5b Don't check for systemd service

Metadata Update from @tdudlak:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

6 years ago

Log in to comment on this ticket.

Metadata