SELinux: denied { execute } for pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3"
I have problem with SELinux. setroubleshoot
suggested to enable mypol.pp
with semodule -i mypol.pp
so apache could run.
after I run the suggested command, I'm keep getting:
type=AVC msg=audit(1388119964.806:11): avc: denied { execute } for pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3" dev=md0 ino=2228931 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1388120085.792:29): avc: denied { execute } for pid=2298 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3" dev=md0 ino=2228931 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1388120159.57:37): avc: denied { execute } for pid=2330 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3" dev=md0 ino=2228931 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
**** Invalid AVC allowed in current policy ***
type=AVC msg=audit(1388121088.955:65): avc: denied { name_connect } for pid=2331 comm="httpd" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
**** Invalid AVC allowed in current policy ***
found 0 alerts in /var/log/audit/audit.log
Solution 1:
The below indicates to me you have a relabelling problem.
type=AVC msg=audit(1388119964.806:11): avc: denied { execute } for pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3" dev=md0 ino=2228931 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file
Is /etc/httpd/lib
a symlink to somewhere else? Normally you wouldn't put your libraries here, but only as a symlink. If so running restorecon -Rv /usr/lib{,64}
might be beneficial here.
For the second issue reported below to work you need to ensure SELinux is aware what kind of behaviour you expect from your httpd service.
type=AVC msg=audit(1388121088.955:65): avc: denied { name_connect } for pid=2331 comm="httpd" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket
Enable the boolean httpd_can_network_relay
by running setsebool -P httpd_can_network_relay 1
.
Solution 2:
I don't know about the
**** Invalid AVC allowed in current policy ***
message but we have a Q&A about it here already
Running the text you provide through audit2allow suggests
#============= httpd_t ==============
allow httpd_t http_cache_port_t:tcp_socket name_connect;
allow httpd_t httpd_config_t:file execute;
so you could try using grep to pull out the relevant AVC denied messages to a temporary file then pass it to audit2allow
grep denied: audit.log | grep httpd >temp.log
cat temp.log | audit2allow -M myHTTPD
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i myHTTPD.pp
After installing the myHTTPD.pp you may still find that SElinux stops httpd from starting. This is because earlier (now allowed) denies are no longer masking the later ones. Just repeat the process above each time.