Did you happen to add a custom context? Example: semanage fcontext -a -t file_t /etc/resolv.conf
On Fri, Sep 16, 2011 at 11:19 AM, Rainer Traut <[email protected]> wrote: > Hi, > > I'm testing httpd with selinux in enforcing mode. > When starting httpd with default config I see this: > > # service httpd start > httpd starten: httpd: apr_sockaddr_info_get() failed for wwwtest.xxx > httpd: Could not reliably determine the server's fully qualified domain > name, using 127.0.0.1 for ServerName [ OK] > > with further investigation: > > host=wwwtest.xxx type=AVC msg=audit(1316185060.545:463): avc: denied { > read } for pid=23381 comm="httpd" name="resolv.conf" dev=sda2 ino=574037 > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 > tclass=file > > host=wwwtest.xxx type=SYSCALL msg=audit(1316185060.545:463): arch=c000003e > syscall=2 success=no exit=-13 a0=2ab98db308e8 a1=0 a2=1b6 a3=0 items=0 > ppid=23380 pid=23381 auid=502 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=pts1 ses=23 comm="httpd" exe="/usr/sbin/httpd" > subj=user_u:system_r:httpd_t:s0 key=(null) > > But why is restorecon failing? > > # ls -Z /etc/resolv.conf > -rw-r--r-- root root system_u:object_r:file_t /etc/resolv.conf > > # restorecon -v /etc/resolv.conf > restorecon set context /etc/resolv.conf->system_u:object_r:net_conf_t:s0 > failed:'Operation not permitted' > > I found various hints about hardlinks to resolv.conf preventing it, but > there are none... > > # find / -xdev -samefile /etc/resolv.conf > /etc/resolv.conf > > Thx > Rainer > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
