Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1609477
SELinux is preventing /usr/sbin/httpd from write access on the directory /etc/httpd/alias/. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /etc/httpd/alias/ default label should be cert_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /etc/httpd/alias/ ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that httpd should be allowed write access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -X 300 -i my-httpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:httpd_config_t:s0 Target Objects /etc/httpd/alias/ [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host host.example.test Source RPM Packages httpd-2.4.34-3.fc28.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.1-32.fc28.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name host.example.test Platform Linux host.example.test 4.17.9-200.fc28.x86_64 #1 SMP Mon Jul 23 21:41:29 UTC 2018 x86_64 x86_64 Alert Count 12 First Seen 2018-07-28 04:29:12 EDT Last Seen 2018-07-28 04:31:02 EDT Local ID 3c279d02-7842-42b0-848e-fc8fb766be4d Raw Audit Messages type=AVC msg=audit(1532766662.216:613): avc: denied { write } for pid=31744 comm="httpd" name="alias" dev="dm-0" ino=554522 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1532766662.216:613): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffff9c a1=558a0dae3ea5 a2=800c1 a3=180 items=1 ppid=1 pid=31744 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=CWD msg=audit(1532766662.216:613): cwd=/ type=PATH msg=audit(1532766662.216:613): item=0 name=/etc/httpd/alias/ inode=554522 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:httpd_config_t:s0 nametype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0 Hash: httpd,httpd_t,httpd_config_t,dir,write
Metadata Update from @abbra: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1609477
Metadata Update from @twoerner: - Issue assigned to twoerner
Here is the pull request: https://github.com/freeipa/freeipa/pull/2198
master:
Metadata Update from @twoerner: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
ipa-4-7:
Login to comment on this ticket.