SELinux: denied { execute } for pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3"

I have problem with SELinux. setroubleshoot suggested to enable mypol.pp with semodule -i mypol.pp so apache could run.

after I run the suggested command, I'm keep getting:

type=AVC msg=audit(1388119964.806:11): avc:  denied  { execute } for  pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3" dev=md0 ino=2228931 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file

**** Invalid AVC allowed in current policy ***

type=AVC msg=audit(1388120085.792:29): avc:  denied  { execute } for  pid=2298 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3" dev=md0 ino=2228931 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file

**** Invalid AVC allowed in current policy ***

type=AVC msg=audit(1388120159.57:37): avc:  denied  { execute } for  pid=2330 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3" dev=md0 ino=2228931 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file

**** Invalid AVC allowed in current policy ***

type=AVC msg=audit(1388121088.955:65): avc:  denied  { name_connect } for  pid=2331 comm="httpd" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

**** Invalid AVC allowed in current policy ***

found 0 alerts in /var/log/audit/audit.log

Solution 1:

The below indicates to me you have a relabelling problem.

type=AVC msg=audit(1388119964.806:11): avc: denied { execute } for pid=2174 comm="httpd" path="/etc/httpd/lib/libaprutil-1.so.0.5.3" dev=md0 ino=2228931 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file

Is /etc/httpd/lib a symlink to somewhere else? Normally you wouldn't put your libraries here, but only as a symlink. If so running restorecon -Rv /usr/lib{,64} might be beneficial here.

For the second issue reported below to work you need to ensure SELinux is aware what kind of behaviour you expect from your httpd service.

type=AVC msg=audit(1388121088.955:65): avc: denied { name_connect } for pid=2331 comm="httpd" dest=8080 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket

Enable the boolean httpd_can_network_relay by running setsebool -P httpd_can_network_relay 1.

Solution 2:

I don't know about the **** Invalid AVC allowed in current policy *** message but we have a Q&A about it here already

Running the text you provide through audit2allow suggests

#============= httpd_t ==============

allow httpd_t http_cache_port_t:tcp_socket name_connect;
allow httpd_t httpd_config_t:file execute;

so you could try using grep to pull out the relevant AVC denied messages to a temporary file then pass it to audit2allow

grep denied: audit.log | grep httpd >temp.log

cat temp.log | audit2allow -M myHTTPD
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i myHTTPD.pp

After installing the myHTTPD.pp you may still find that SElinux stops httpd from starting. This is because earlier (now allowed) denies are no longer masking the later ones. Just repeat the process above each time.