httpd trying to access root-owned session files

Question

While looking into what's been causing a server to lock up/crash, I found many selinux messages in /var/log/messages. For example:

setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /tmp/sess_s5etafvc5ito5qi9icvpc17vi5. For complete SELinux messages. run sealert -l 9d054e4e-fc34-41a3-8fc5-4015026d2c6c

Not sure if it is relevant, but group of these are preceded or followed by many lines of

audispd: queue is full - dropping event

Anyway, running the suggested sealert command gives

SELinux is preventing /usr/sbin/httpd from getattr access on the file /tmp/sess_aa0iif62mu7nd4a4hb4g72slv3.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that httpd should be allowed getattr access on the sess_aa0iif62mu7nd4a4hb4g72slv3 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

ls -l shows that it is owned by root

-rw-------. 1 root root 0 Dec 2 05:03 sess_aa0iif62mu7nd4a4hb4g72slv3

I don't have a good understanding of the /tmp directory or sessions. There are session files owned by httpd, so why would httpd be trying to access root-owned session files? Why are there root-owned session files in the first place? Is this something to be concerned about, or fixed? Would hundreds or thousands of these result in the server locking up/kernel panic?

Answer 1

It seems that you have an application engine, such as PHP, running as root. Verify the user owning the process for each of your server daemons through ps or top.