SELinux fix: allowing write to /var/lib/mod_security/

There’s a long-standing bug that prevents mod_security from writing to /var/lib/mod_security/.

According to Red Hat Bugzilla this bug should been fixed around May 2013, but it still exists – on fully patched CentOS 6.5. From /var/log/audit/audit.log:

type=AVC msg=audit(1411718594.811:7017): avc: denied { write } for pid=28144 comm="httpd" name="global.dir" \
dev=dm-0 ino=1577960 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

type=AVC msg=audit(1411718594.812:7018): avc: denied { write } for pid=28144 comm="httpd" name="ip.dir" \ dev=dm-0 ino=1577962 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file

To relabel this directory with the proper “httpd_var_lib_t” context, run the following as root:

semanage fcontext -a -t httpd_var_lib_t "/var/lib/mod_security(/.*)?"
restorecon -Rv /var/lib/mod_security

Turnip

@Turnip2020

I have a suggestion. How about reporters stop asking whether or not political leaders “believe” in climate change and start asking if they understand it instead.

05:51 · 2018-08-21 ·

Retweeted by Ed Voncken

Guity Mohebbi

@GuityMohebbi

Hahahahahahaha een fijn weekend. pic.twitter.com/FaMCUt02pS

11:07 · 2018-08-19 ·

Retweeted by Ed Voncken

Nicholas Thompson

@nxthompson

This story is incredible: meet the team in Syria who hacked together a tool like Shazam for air raids. It listens to the plans and warns where the bombs will hit next. wired.com/story/syria-ci…

21:04 · 2018-08-17 ·

Retweeted by Ed Voncken