Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1609475
SELinux is preventing /usr/sbin/httpd from getattr access on the file /usr/lib/systemd/system/fedora-domainname.service. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that httpd should be allowed getattr access on the fedora-domainname.service file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -X 300 -i my-httpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:systemd_unit_file_t:s0 Target Objects /usr/lib/systemd/system/fedora-domainname.service [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host host.example.test Source RPM Packages httpd-2.4.34-3.fc28.x86_64 Target RPM Packages initscripts-9.80-1.fc28.x86_64 Policy RPM selinux-policy-3.14.1-32.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.test Platform Linux host.example.test 4.17.9-200.fc28.x86_64 #1 SMP Mon Jul 23 21:41:29 UTC 2018 x86_64 x86_64 Alert Count 12 First Seen 2018-07-28 04:29:12 EDT Last Seen 2018-07-28 04:31:02 EDT Local ID 5e3ab204-b8c6-4aa4-a783-31a391e13031 Raw Audit Messages type=AVC msg=audit(1532766662.725:619): avc: denied { getattr } for pid=31754 comm="httpd" path="/usr/lib/systemd/system/fedora-domainname.service" dev="dm-0" ino=8738822 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1532766662.725:619): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f323c4f1730 a1=7fffac0f7d00 a2=7fffac0f7d00 a3=7f323c4f1768 items=1 ppid=31744 pid=31754 auid=4294967295 uid=385 gid=385 euid=385 suid=385 fsuid=385 egid=385 sgid=385 fsgid=385 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=CWD msg=audit(1532766662.725:619): cwd=/ type=PATH msg=audit(1532766662.725:619): item=0 name=/usr/lib/systemd/system/fedora-domainname.service inode=8738822 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:systemd_unit_file_t:s0 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: httpd,httpd_t,systemd_unit_file_t,file,getattr Version-Release number of selected component (if applicable): sh$ rpm -q freeipa-server selinux-policy freeipa-server-4.7.0-1.fc28.x86_64 selinux-policy-3.14.1-36.fc28.noarch
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1609475
Metadata Update from @cheimes: - Issue assigned to cheimes
Metadata Update from @cheimes: - Custom field on_review adjusted to https://pagure.io/freeipa/issue/7661
master:
ipa-4-7:
Metadata Update from @tdudlak: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.