Facebook
Twitter
raytracy
Basic Pleskian
Onyx 17.5 Update#11 + CentOS 7.3 + SELinux enabled.
I found the following message flooding everyday in /var/log/message:
===========================
SELinux is preventing httpd from 'read, write' accesses on the file /var/asl/data/updates-data.#012#012***** Plugin catchall_labels (83.8 confidence) suggests *******************#012#012If you want to allow httpd to have read write access on the updates-data file#012Then you need to change the label on /var/asl/data/updates-data#012Do#012# semanage fcontext -a -t FILE_TYPE '/var/asl/data/updates-data'#012where FILE_TYPE is one of the following: abrt_retrace_spool_t, afs_cache_t, anon_inodefs_t, apcupsd_cgi_rw_content_t, awstats_rw_content_t, bugzilla_rw_content_t, collectd_rw_content_t, cvs_rw_content_t, dirsrv_config_t, dirsrv_var_log_t, dirsrv_var_run_t, dirsrvadmin_config_t, dirsrvadmin_rw_content_t, dirsrvadmin_tmp_t, dspam_rw_content_t, git_rw_content_t, httpd_cache_t, httpd_lock_t, httpd_log_t, httpd_squirrelmail_t, httpd_sys_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_tmp_t, httpd_tmpfs_t, httpd_user_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_var_lib_t, httpd_var_run_t, hugetlbfs_t, initrc_tmp_t, jetty_cache_t, jetty_log_t, jetty_var_lib_t, jetty_var_run_t, keystone_cgi_rw_content_t, krb5_host_rcache_t, mail_spool_t, man2html_rw_content_t, mediawiki_rw_content_t, mirrormanager_var_run_t, mojomojo_rw_content_t, munin_rw_content_t, mythtv_rw_content_t, nagios_rw_content_t, nutups_cgi_rw_content_t, openshift_rw_content_t, passenger_tmp_t, passenger_var_run_t, pki_ra_etc_rw_t, pki_ra_log_t, pki_ra_var_lib_t, pki_tps_etc_rw_t, pki_tps_log_t, pki_tps_var_lib_t, postfix_spool_t, prewikka_rw_content_t, puppet_tmp_t, security_t, smokeping_cgi_rw_content_t, squid_rw_content_t, squirrelmail_spool_t, systemd_passwd_var_run_t, user_cron_spool_t, var_run_t, w3c_validator_rw_content_t, webalizer_rw_content_t, zarafa_var_lib_t, zoneminder_rw_content_t, zoneminder_var_lib_t.#012Then execute:#012restorecon -v '/var/asl/data/updates-data'#012#012#012***** Plugin catchall (17.1 confidence) suggests **************************#012#012If you believe that httpd should be allowed read write access on the updates-data file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012
============================
It looks like can be fixed via semanage fcontext -a -t FILE_TYPE '/var/asl/data/updates-data' and then restorecon it, but I don't know what is correct FILE_TYPE?
This file labeled as:
ls -Z /var/asl/data/updates-data
-rw-------. root root system_u: object_r:var_t:s0 /var/asl/data/updates-data
By the way, I have 3 hosts with same installation and updated to #11, but only this host has SELinux problem, is there anything I should aware or fix?
I found the following message flooding everyday in /var/log/message:
===========================
SELinux is preventing httpd from 'read, write' accesses on the file /var/asl/data/updates-data.#012#012***** Plugin catchall_labels (83.8 confidence) suggests *******************#012#012If you want to allow httpd to have read write access on the updates-data file#012Then you need to change the label on /var/asl/data/updates-data#012Do#012# semanage fcontext -a -t FILE_TYPE '/var/asl/data/updates-data'#012where FILE_TYPE is one of the following: abrt_retrace_spool_t, afs_cache_t, anon_inodefs_t, apcupsd_cgi_rw_content_t, awstats_rw_content_t, bugzilla_rw_content_t, collectd_rw_content_t, cvs_rw_content_t, dirsrv_config_t, dirsrv_var_log_t, dirsrv_var_run_t, dirsrvadmin_config_t, dirsrvadmin_rw_content_t, dirsrvadmin_tmp_t, dspam_rw_content_t, git_rw_content_t, httpd_cache_t, httpd_lock_t, httpd_log_t, httpd_squirrelmail_t, httpd_sys_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_tmp_t, httpd_tmpfs_t, httpd_user_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_var_lib_t, httpd_var_run_t, hugetlbfs_t, initrc_tmp_t, jetty_cache_t, jetty_log_t, jetty_var_lib_t, jetty_var_run_t, keystone_cgi_rw_content_t, krb5_host_rcache_t, mail_spool_t, man2html_rw_content_t, mediawiki_rw_content_t, mirrormanager_var_run_t, mojomojo_rw_content_t, munin_rw_content_t, mythtv_rw_content_t, nagios_rw_content_t, nutups_cgi_rw_content_t, openshift_rw_content_t, passenger_tmp_t, passenger_var_run_t, pki_ra_etc_rw_t, pki_ra_log_t, pki_ra_var_lib_t, pki_tps_etc_rw_t, pki_tps_log_t, pki_tps_var_lib_t, postfix_spool_t, prewikka_rw_content_t, puppet_tmp_t, security_t, smokeping_cgi_rw_content_t, squid_rw_content_t, squirrelmail_spool_t, systemd_passwd_var_run_t, user_cron_spool_t, var_run_t, w3c_validator_rw_content_t, webalizer_rw_content_t, zarafa_var_lib_t, zoneminder_rw_content_t, zoneminder_var_lib_t.#012Then execute:#012restorecon -v '/var/asl/data/updates-data'#012#012#012***** Plugin catchall (17.1 confidence) suggests **************************#012#012If you believe that httpd should be allowed read write access on the updates-data file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012
============================
It looks like can be fixed via semanage fcontext -a -t FILE_TYPE '/var/asl/data/updates-data' and then restorecon it, but I don't know what is correct FILE_TYPE?
This file labeled as:
ls -Z /var/asl/data/updates-data
-rw-------. root root system_u: object_r:var_t:s0 /var/asl/data/updates-data
By the way, I have 3 hosts with same installation and updated to #11, but only this host has SELinux problem, is there anything I should aware or fix?
