I never did solve this, and I'm looking at it again. Selinux still gripes (it's in permissive mode, or this would be more of a problem). httpd_unified is on, which is what the *wrong* error message from selinux tells me will fix this.
Given the info below, *should* I chcon (or semanage) /var/log/httpd/smagent.log to the same type as the httpd error.log? Will that make selinux happy?
mark, not happy with selinux
host=biblio type=AVC msg=audit(1262787360.769:5531): avc: denied { write } for pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=46107941 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
ll -Z /var/log/httpd/smagent.log -rw-r--r-- apache root user_u:object_r:httpd_log_t /var/log/httpd/smagent.log
ll -Z /usr/local/opt/<blah>/webagent/bin/LLAWP -rwxrwxr-x root root system_u:object_r:bin_t /usr/local/opt/<blah>/webagent/bin/LLAWP
ll -Z /var/log/httpd/error_log -rw-r--r-- root root system_u:object_r:httpd_log_t /var/log/httpd/error_log
ll -Z /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
On 01/07/2010 04:45 PM, m.roth@5-cent.us wrote:
I never did solve this, and I'm looking at it again. Selinux still gripes (it's in permissive mode, or this would be more of a problem). httpd_unified is on, which is what the *wrong* error message from selinux tells me will fix this.
Given the info below, *should* I chcon (or semanage) /var/log/httpd/smagent.log to the same type as the httpd error.log? Will that make selinux happy?
mark, not happy with selinux
host=biblio type=AVC msg=audit(1262787360.769:5531): avc: denied { write } for pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=46107941 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
Apache can not and will not write to its log files. The log file should be open for append only. This is so that a compromized web server can not wipe its audit trail.
You should consider this to be a bug in smagent.
If you want to just allow it any way (discouraged) than you can do the following:
echo "avc: denied { write } for pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3 ino=46107941 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file" | audit2allow -M myfaultysmagent; sudo semodule -i myfaultysmagent.pp
Hth
ll -Z /var/log/httpd/smagent.log -rw-r--r-- apache root user_u:object_r:httpd_log_t /var/log/httpd/smagent.log
ll -Z /usr/local/opt/<blah>/webagent/bin/LLAWP -rwxrwxr-x root root system_u:object_r:bin_t /usr/local/opt/<blah>/webagent/bin/LLAWP
ll -Z /var/log/httpd/error_log -rw-r--r-- root root system_u:object_r:httpd_log_t /var/log/httpd/error_log
ll -Z /usr/sbin/httpd -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
selinux@lists.fedoraproject.org