Linux – selinux “Possible mismatch between this policy….”

linuxSecurityselinux

How do I go about troubleshooting the following error below:

type=AVC msg=audit(1365523330.609:4846): avc:  denied  { append } for  pid=12542 comm="FTPMan.pl" name="user_list" dev=dm-0 ino=2884237 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

Was caused by:
    Unknown - would be allowed by active policy
    Possible mismatch between this policy and the one under which the audit message was generated.

    Possible mismatch between current in-memory boolean settings vs. permanent ones.

There wasn't much documentation on this particular error.

Best Answer

Check the apache logs for the actual file causing the problem (for me it was mod_jk.so). hopefully you'll find a line in the error log like

Cannot load /opt/coldfusion10/config/wsconfig/1/mod_jk.so into server: /opt/coldfusion10/config/wsconfig/1/mod_jk.so: failed to map segment from shared object: Permission denied

then compare the selinux permissions of that file with the permissions of the http executable. for me they were

# ls -ldZ /opt/coldfusion10/config/wsconfig/1/mod_jk.so
-rwxr-xr-x. nobody nobody unconfined_u:object_r:httpd_log_t:s0 /opt/coldfusion10/config/wsconfig/1/mod_jk.so
# ls -ldZ /usr/sbin/httpd
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/httpd

You can see the mod_jk.so has different permissions to the httpd binary. To fix it, simply make them the same

# sudo chcon -R -u system_u -r object_r -t httpd_exec_t /opt/coldfusion10/config/wsconfig/1/mod_jk.so

Now they match, and for me apache started up again (without compromising my server security)

Related Solutions

SELinux AVC denies at boot

The target types are file_t. That normally is the case where no type was ever set on the file and that is the default.

You'll need to relabel the filesystem in order to get things going again.

Normally the command fixfiles is used for this on redhat but I'm pretty sure that relates to RPM databases for some work so isn't likely as relevent in gentoo. You should be able to use restorecon though.

You'll need to boot into a permissive mode to try and relabel the filesystem.

Redhat Apache fast-cgi selinux permissions

Running FastCGI your way leaves a big security hole: the PHP interpreter is run as user "httpd" (at least I can't see anything about suexec here).

We have a working setup with SELinux and PHP as FastCGI here at CentOS 6, but it was really tricky to get everything working.

A few tips for the start:

you don't need to reboot to disable/enable selinux - just use the command "setenforce 0" or "setenforce 1" :)
always try to get everything working with SELinux disabled, then enable it and have a look at audit.log

Here we go:

enable suexec
change SELinux type for php.fcgi to httpd_fastcgi_script_exec_t
your FastCGI starter (php.fcgi) should not be writable by the user owning it (otherwise he can tweak many settings and limits). Give it the "immutable" flag: chattr +i php.fcgi

suexec has some trouble with FastCGI, so we have to make it permissive:

yum install policycoreutils-python
semanage permissive -a httpd_suexec_t

Good luck!

Best Answer

Related Solutions

SELinux AVC denies at boot

Redhat Apache fast-cgi selinux permissions

Related Topic