top - 18:39:29 up 219 days, 3:26, 25 users, load average: 1.10, 0.84, 0.90
Tasks: 307 total, 2 running, 305 sleeping, 0 stopped, 0 zombie
%Cpu(s): 82.7 us, 17.2 sy, 0.0 ni, 0.2 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1875896 total, 131120 free, 547016 used, 1197760 buff/cache
KiB Swap: 2113532 total, 1062976 free, 1050556 used. 907248 avail Mem
Unknown command - try 'h' for help
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
28081 root 20 0 277012 56836 9252 R 96.1 3.0 0:06.34 setroubles+
28006 jdoe 20 0 146260 2136 1360 R 2.3 0.1 0:01.09 top
5694 ann 20 0 25876 2288 968 S 1.6 0.1 26:26.01 netmesh
13 root 20 0 0 0 0 S 0.7 0.0 567:58.16 rcu_sched
729 dbus 20 0 72724 3236 716 S 0.7 0.2 184:40.56 dbus-daemon
26447 jdoe 20 0 147208 2208 920 S 0.7 0.1 0:00.76 sshd
32091 mysql 20 0 1366968 40908 5320 S 0.7 2.2 65:39.21 mysqld
14 root 20 0 0 0 0 S 0.3 0.0 222:46.07 rcuos/0
15 root 20 0 0 0 0 S 0.3 0.0 191:33.18 rcuos/1
705 root 20 0 19152 308 228 S 0.3 0.0 47:05.58 irqbalance
2795 root 20 0 257536 1184 760 S 0.3 0.1 11:46.69 upowerd
32066 polkitd 20 0 517960 1652 972 S 0.3 0.1 6:29.26 polkitd
1 root 20 0 194888 8096 2808 S 0.0 0.4 134:51.15 systemd
2 root 20 0 0 0 0 S 0.0 0.0 1:11.66 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 2:47.23 ksoftirqd/0
5 root 0 -20 0 0 0 S 0.0 0.0 0:00.00 kworker/0:+
7 root rt 0 0 0 0 S 0.0 0.0 6:14.49 migration/0When I used the ausearch command to query the audit daemon logs for entries that might have been created by setroubleshootd, I saw the following:
# ausearch -m avc | tail
----
time->Sat Apr 16 18:00:05 2016
type=SYSCALL msg=audit(1460844005.621:12701188): arch=c000003e syscall=2 success
=yes exit=28 a0=7f7781159d58 a1=80000 a2=1b6 a3=632f656863696e72 items=0 ppid=24
450 pid=18144 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgi
d=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=
system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1460844005.621:12701188): avc: denied { open } for pid=181
44 comm="httpd" path="/home/ann/public_html/ourplace/cometchat/.htaccess" dev="d
m-4" ino=22805345 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object
_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1460844005.621:12701188): avc: denied { read } for pid=181
44 comm="httpd" name=".htaccess" dev="dm-4" ino=22805345 scontext=system_u:syste
m_r:httpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=fileOne of the websites on the server uses
CometChat with
Simple Machines Forum (SMF)
to provide an online chat feature for users of the site's forum. The referenced
.htaccess file resides under the cometchat directory beneath
the user's forum software directory. The server runs
Security-Enhanced Linux
(SELinux), though in "permissive" mode, which is why setroubleshootd
was running and those audit log entries were created.
I also checked the /var/log/messages file and saw entries
like the following ones:
# grep cometchat /var/log/messages | tail # semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/.h taccess' restorecon -v '/home/ann/public_html/ourplace/cometchat/.htaccess' Apr 16 18:00:41 greendragon setroubleshoot: failed to retrieve rpm info for /hom e/ann/public_html/ourplace/cometchat/.htaccess Apr 16 18:00:43 greendragon setroubleshoot: SELinux is preventing /usr/sbin/http d from read access on the file /home/ann/public_html/ourplace/cometchat/.htacces s. For complete SELinux messages. run sealert -l 4665f463-f450-488c-8ca0-52f6e83 e6b05 Apr 16 18:00:43 greendragon python: SELinux is preventing /usr/sbin/httpd from r ead access on the file /home/ann/public_html/ourplace/cometchat/.htaccess. /home/ann/public_html/ourplace/cometchat/.htaccess default label should be httpd _user_htaccess_t. # /sbin/restorecon -v /home/ann/public_html/ourplace/cometchat/.htaccess Then you need to change the label on /home/ann/public_html/ourplace/cometchat/.h taccess # semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/.h taccess' restorecon -v '/home/ann/public_html/ourplace/cometchat/.htaccess' #
The message "setroubleshoot: failed to retrieve rpm info for" is just an
informational mesage from setroubleshoot indicating that the file it is
referencing didn't come from an RPM package. However, for the message below,
there is a reference to a means to obtain further information on the issue
logged regarding the cometchat/.htaccess file:
Apr 16 18:00:43 greendragon setroubleshoot: SELinux is preventing /usr/sbin/http d from read access on the file /home/ann/public_html/ourplace/cometchat/.htacces s. For complete SELinux messages. run sealert -l 4665f463-f450-488c-8ca0-52f6e83 e6b05
I checked on the number of references in /var/log/messages
to the cometchat/.htaccess file and found there were tens of
thousands of entries related to the file:
# grep --count 'cometchat/.htaccess' /var/log/messages 32113
When I checked the first entry in the log file, I found that it was logged about five days ago:
# head -1 /var/log/messages Apr 11 03:40:09 greendragon dbus[729]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper
So in less that a week, over thirty-two thousand such entries were logged.
I ran sealert -l with the alert number specified in reference
to the cometchat/.htaccess file:
# sealert -l 4665f463-f450-488c-8ca0-52f6e83e6b05
SELinux is preventing /usr/sbin/httpd from read access on the file /home/ann/pub
lic_html/ourplace/cometchat/.htaccess.
***** Plugin restorecon (94.8 confidence) suggests ************************
If you want to fix the label.
/home/ann/public_html/ourplace/cometchat/.htaccess default label should be httpd
_user_htaccess_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /home/ann/public_html/ourplace/cometchat/.htaccess
***** Plugin catchall_labels (5.21 confidence) suggests *******************
If you want to allow httpd to have read access on the .htaccess file
Then you need to change the label on /home/ann/public_html/ourplace/cometchat/.h
taccess
Do
# semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/.h
taccess'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_t
mp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t,
abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_spool_t, abrt_ret
race_worker_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_
var_run_t, accountsd_exec_t, acct_exec_t, admin_crontab_tmp_t, admin_passwd_exec
_t, afs_cache_t, aide_exec_t, alsa_exec_t, alsa_tmp_t, amanda_exec_t, amanda_rec
over_exec_t, amanda_tmp_t, amtu_exec_t, anacron_exec_t, anon_inodefs_t, antiviru
s_exec_t, antivirus_tmp_t, apcupsd_cgi_content_t, apcupsd_cgi_htaccess_t, apcups
d_cgi_ra_content_t, apcupsd_cgi_rw_content_t, apcupsd_cgi_script_exec_t, apcupsd
<text snipped>
Then execute:
restorecon -v '/home/ann/public_html/ourplace/cometchat/.htaccess'
***** Plugin catchall (1.44 confidence) suggests **************************
If you believe that httpd should be allowed read access on the .htaccess file by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:unlabeled_t:s0
Target Objects /home/ann/public_html/ourplace/cometchat/.htaccess
[ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-31.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-23.el7_1.8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name greendragon
Platform Linux greendragon 3.10.0-229.7.2.el7.x86_64 #1 SMP
Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64
Alert Count 141
First Seen 2016-04-16 02:31:06 EDT
Last Seen 2016-04-16 18:10:05 EDT
Local ID 4665f463-f450-488c-8ca0-52f6e83e6b05
Raw Audit Messages
type=AVC msg=audit(1460844605.85:12701374): avc: denied { read } for
pid=22642 comm="httpd" name=".htaccess" dev="dm-4" ino=22805345
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0
tclass=file
type=AVC msg=audit(1460844605.85:12701374): avc: denied { open } for
pid=22642 comm="httpd" path="/home/ann/public_html/ourplace/cometchat/.htaccess"
dev="dm-4" ino=22805345 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1460844605.85:12701374): arch=x86_64 syscall=open
success=yes exit=ENOSPC a0=7f77810b46b8 a1=80000 a2=1b6 a3=632f656863696e72
items=0 ppid=24450 pid=22642 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd
exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,unlabeled_t,file,read
#I checked the security context of the referenced file with ls
-Z:
# ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess -rw-rw-r--. ann apache system_u:object_r:unlabeled_t:s0 /home/ann/public_html/ourplace/cometchat/.htaccess
The suggested fix for the problem in the log entries was to run the following commands;
# semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/.htaccess' restorecon -v '/home/ann/public_html/ourplace/cometchat/.htaccess'
Files and directories that are accessible to the Apache web server software
that are under /var/www have an SELinux context
of httpd_sys_content_t as can be seen when I checked
/var/www/html and the /var/www/html/index.html
file within it on the same system.
# ls -Z /var/www/html/index.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/index.html # ls -dZ /var/www/html drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html #
So that is the SELinux context I specified for FILE_TYPE
when I ran the semanage
command. You can get help information for the fcontext argument
to semanage by issuing the command semanage fcontext --help
# semanage fcontext --help
usage: semanage fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE -r
RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) | --delete ( -t TYPE -f FTYPE | -e EQU
AL ) FILE_SPEC ) | --deleteall | --extract | --list -C | --modify ( -t TYPE -f
FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ) ]
positional arguments:
file_spec file_spec
optional arguments:
-h, --help show this help message and exit
-C, --locallist List fcontext local customizations
-n, --noheading Do not print heading when listing fcontext object
types
-N, --noreload Do not reload policy after commit
-S STORE, --store STORE
Select an alternate SELinux Policy Store to manage
-a, --add Add a record of the fcontext object type
-d, --delete Delete a record of the fcontext object type
-m, --modify Modify a record of the fcontext object type
-l, --list List records of the fcontext object type
-E, --extract Extract customizable commands, for use within a
transaction
-D, --deleteall Remove all fcontext objects local customizations
-e EQUAL, --equal EQUAL
Substitute target path with sourcepath when generating
default label. This is used with fcontext. Requires
source and target path arguments. The context labeling
for the target subtree is made equivalent to that
defined for the source.
-f {a,f,d,c,b,s,l,p}, --ftype {a,f,d,c,b,s,l,p}
File Type. This is used with fcontext. Requires a file
type as shown in the mode field by ls, e.g. use -d to
match only directories or -- to match only regular
files. The following file type options can be passed:
-- (regular file),-d (directory),-c (character
device), -b (block device),-s (socket),-l (symbolic
link),-p (named pipe) If you do not specify a file
type, the file type will default to "all files".
-s SEUSER, --seuser SEUSER
SELinux user name
-t TYPE, --type TYPE SELinux Type for the object
-r RANGE, --range RANGE
MLS/MCS Security Range (MLS/MCS Systems only) SELinux
Range for SELinux login mapping defaults to the
SELinux user record range.To add the context to the .htaccess file, I included the
-a option and use -t to specify the SELinux type.
# semanage fcontext -a -t httpd_sys_content_t /home/ann/public_html/ourplace/cometchat/.htaccess #
To apply the change I needed to run the
restorecon command;
you can see below that the context shown by ls -Z didn't change
until after I ran the restorecon command.
# ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess -rw-rw-r--. ann apache system_u:object_r:unlabeled_t:s0 /home/ann/public_html/ou rniche/cometchat/.htaccess # restorecon -v /home/ann/public_html/ourplace/cometchat/.htaccess restorecon reset /home/ann/public_html/ourplace/cometchat/.htaccess context syst em_u:object_r:unlabeled_t:s0->system_u:object_r:httpd_sys_content_t:s0 # ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess -rw-rw-r--. ann apache system_u:object_r:httpd_sys_content_t:s0 /home/ann/public _html/ourplace/cometchat/.htaccess #
However, after I set that SELinux context, I noticed that one of the log messages had recommended a different content type:
Apr 16 18:00:43 greendragon python: SELinux is preventing /usr/sbin/httpd from r ead access on the file /home/ann/public_html/ourplace/cometchat/.htaccess. /home/ann/public_html/ourplace/cometchat/.htaccess default label should be httpd _user_htaccess_t.
But I also found that the
SELinux Cookbook by Sven Vermeulen mentioned
"httpd_user_htaccess_t for the .htaccess files:
so I deleted the context I had previously set for the file using the
-d option for
semanage.
# semanage fcontext -d /home/ann/public_html/ourplace/cometchat/.htaccess
Then I changed changed the context to be that, instead.
# semanage fcontext -a -t httpd_user_htaccess_t /home/ann/public_html/ourplace/c ometchat/.htaccess # restorecon -v /home/ann/public_html/ourplace/cometchat/.htaccess restorecon reset /home/ann/public_html/ourplace/cometchat/.htaccess context syst em_u:object_r:httpd_sys_content_t:s0->system_u:object_r:httpd_user_htaccess_t:s0 # ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess -rw-rw-r--. ann apache system_u:object_r:httpd_user_htaccess_t:s0 /home/ann/publ ic_html/ourplace/cometchat/.htaccess
After I made the above change, no further references to the
cometchat/.htaccess file appeared in
/var/log/messages. I did later observe that there were a lot
of other cometchat-related entries in /var/log/messages, though.
# grep cometchat /var/log/messages | wc -l 27587 # grep cometchat /var/log/messages | tail If you believe that httpd should be allowed read access on the cometchat_receive .php file by default. Apr 19 22:17:46 greendragon setroubleshoot: failed to retrieve rpm info for /hom e/ann/public_html/ourplace/cometchat/modules/chatrooms/chatrooms.php Apr 19 22:17:51 greendragon setroubleshoot: SELinux is preventing /usr/sbin/http d from getattr access on the file /home/ann/public_html/ourplace/cometchat/modul es/chatrooms/chatrooms.php. For complete SELinux messages. run sealert -l b995a2 26-102c-402d-a284-3ba052067998 Apr 19 22:17:51 greendragon python: SELinux is preventing /usr/sbin/httpd from g etattr access on the file /home/ann/public_html/ourplace/cometchat/modules/chatr ooms/chatrooms.php. /home/ann/public_html/ourplace/cometchat/modules/chatrooms/chatrooms.php default label should be httpd_user_content_t. # /sbin/restorecon -v /home/ann/public_html/ourplace/cometchat/modules/chatrooms /chatrooms.php Then you need to change the label on /home/ann/public_html/ourplace/cometchat/mo dules/chatrooms/chatrooms.php # semanage fcontext -a -t FILE_TYPE '/home/ann/public_html/ourplace/cometchat/mo dules/chatrooms/chatrooms.php' restorecon -v '/home/ann/public_html/ourplace/cometchat/modules/chatrooms/chatro oms.php' Apr 19 22:17:54 greendragon setroubleshoot: failed to retrieve rpm info for /hom e/ann/public_html/ourplace/cometchat/modules/chatrooms/chatrooms.php
So I changed the context for all files in the cometchat directory.
# semanage fcontext -a -t httpd_user_content_t "/home/ann/public_html/ourplace/cometchat(/.*)?" # restorecon -R /home/ann/public_html/ourplace/cometchat
The -a option to semanage indicates it should add a new record
and the -t htpd_user_content_t specifies the type. The
regular expression at the end of the command, (/.*)? causes
semanage to apply the change to the cometchat directory as well as all the
files within it. The -R option to the
restorecon command instructs it to apply the change recursively, so
it is applied to all subdirectories as well.
After I applied that change, the context of the .htaccess file in the cometchat directory had the prior context replaced with the one applied to all files in the cometchat directory.
# ls -Z /home/ann/public_html/ourplace/cometchat/.htaccess -rw-rw-r--. ann apache system_u:object_r:httpd_user_htaccess_t:s0 /home/ann/public_html/ourplace/cometchat/.htaccess
Applying the context to all files in the cometchat directory and its
subdirectories stopped further entries from appearing in
/var/log/messages related to cometchat.