0007075: httpd tries to search home directories, when mod_userdir is disabled

The default httpd.conf loads the module mod_userdir.so by default, but has<br /> "UserDir disabled".<br /> <br /> To work around the repeated warnings by SELinux, I commented out the module load, and restarted httpd. The warning below still occured on the restart.<br /> <br /> yum list httpd:<br /> httpd.x86_64 2.2.15-30.el6.centos @updates<br /> <br /> SELinux details:<br /> SELinux is preventing /usr/sbin/httpd from search access on the directory /home/gdavis.<br /> <br /> ***** Plugin catchall_boolean (47.5 confidence) suggests *******************<br /> <br /> If you want to allow httpd to read user content<br /> Then you must tell SELinux about this by enabling the 'httpd_read_user_content'boolean.<br /> Do<br /> setsebool -P httpd_read_user_content 1<br /> <br /> ***** Plugin catchall_boolean (47.5 confidence) suggests *******************<br /> <br /> If you want to allow httpd to read home directories<br /> Then you must tell SELinux about this by enabling the 'httpd_enable_homedirs'boolean.<br /> Do<br /> setsebool -P httpd_enable_homedirs 1<br /> <br /> ***** Plugin catchall (6.38 confidence) suggests ***************************<br /> <br /> If you believe that httpd should be allowed search access on the gdavis directory by default.<br /> Then you should report this as a bug.<br /> You can generate a local policy module to allow this access.<br /> Do<br /> allow this access for now by executing:<br /> # grep httpd /var/log/audit/audit.log | audit2allow -M mypol<br /> # semodule -i mypol.pp<br /> <br /> Additional Information:<br /> Source Context unconfined_u:system_r:httpd_t:s0<br /> Target Context unconfined_u:object_r:user_home_dir_t:s0<br /> Target Objects /home/gdavis [ dir ]<br /> Source httpd<br /> Source Path /usr/sbin/httpd<br /> Port <Unknown><br /> Host <removed><br /> Source RPM Packages httpd-2.2.15-30.el6.centos.x86_64<br /> Target RPM Packages <br /> Policy RPM selinux-policy-3.7.19-231.el6_5.1.noarch<br /> Selinux Enabled True<br /> Policy Type targeted<br /> Enforcing Mode Enforcing<br /> Host Name <removed><br /> Platform Linux hawk-linux.home.local<br /> 2.6.32-431.11.2.el6.x86_64 <a href="http://bugs.centos.org/view.php?id=1">0000001</a> SMP Tue Mar 25<br /> 19:59:55 UTC 2014 x86_64 x86_64<br /> Alert Count 1<br /> First Seen Thu 10 Apr 2014 07:09:40 AM PDT<br /> Last Seen Thu 10 Apr 2014 07:09:40 AM PDT<br /> Local ID 1ff33cbe-0305-442e-9761-1e85d95ea6a6<br /> <br /> Raw Audit Messages<br /> type=AVC msg=audit(1397138980.166:1153): avc: denied { search } for pid=19147 comm="httpd" name="gdavis" dev=dm-3 ino=8912897 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir<br /> <br /> <br /> type=SYSCALL msg=audit(1397138980.166:1153): arch=x86_64 syscall=stat success=no exit=EACCES a0=7f60fb00ee48 a1=7fff06b945a0 a2=7fff06b945a0 a3=1999999999999999 items=0 ppid=19145 pid=19147 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm=httpd exe=/usr/sbin/httpd subj=unconfined_u:system_r:httpd_t:s0 key=(null)<br /> <br /> Hash: httpd,httpd_t,user_home_dir_t,dir,search<br /> <br /> audit2allow<br /> <br /> #============= httpd_t ==============<br /> <br /> #!!!! This avc can be allowed using one of the these booleans:<br /> # httpd_read_user_content, httpd_enable_homedirs<br /> allow httpd_t user_home_dir_t:dir search;<br /> <br /> audit2allow -R<br /> <br /> #============= httpd_t ==============<br /> <br /> #!!!! This avc can be allowed using one of the these booleans:<br /> # httpd_read_user_content, httpd_enable_homedirs<br /> allow httpd_t user_home_dir_t:dir search;