Request Tracker 3

Kanwar Ranbir Sandhu m3freak at
Tue Feb 1 00:34:39 UTC 2005

On Mon, 2005-31-01 at 13:43 -0500, Colin Walters wrote:
> Right.  Can you try moving the log into /var/log/httpd?  I can't think
> of another solution short of installing the policy sources and adding
> the permissions.  My guess is that it is actually this permission that
> is stopping the program; the others are likely harmless.

Moving it to /var/log/httpd generated this error in error.log for httpd:

Log file /var/log/httpd/rt.log couldn't be written or created.

/var/log/messages had this to say:

avc:  denied  { read } for  pid=1516 exe=/usr/bin/perl name=tmp dev=dm-3
ino=12 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file

Plus some more denies for { ioctl }.

Here's the contents of /usr/tmp when apache starts:

[root at mothership tmp]# ls -alZ /usr/tmp/
drwxrwxrwt  root     root     system_u:object_r:tmp_t          .
drwxr-xr-x  root     root     system_u:object_r:var_t          ..
srw-------  apache   apache   root:object_r:httpd_tmp_t
drwx------  apache   apache   root:object_r:httpd_tmp_t        dynamic

> > Actually, it's just /tmp.  
> Is your /tmp a symlink elsewhere?  Or do you actually have a symlink
> in /tmp named "tmp"?  Are you *sure* it's really /tmp?  Do an 
> "ls -di /tmp" to see if its inode number is 12.  Then do 
> "ls -di /usr/tmp".

Well, it's not 12.

[root at mothership ~]# ls -di /tmp
2 /tmp


[root at mothership tmp]# ls -di /usr/tmp
12 /usr/tmp

So...I changed the parameter for FastCgiIpDir to /usr/tmp, but there
were still more denials (a new one):

avc:  denied  { getattr } for  pid=2014 exe=/usr/bin/perl path=/var/log
dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_log_t tclass=dir

A ls -alZ shows that /tmp is a normal directory:

drwxrwxrwt  root     root     system_u:object_r:tmp_t          tmp

The same command within /tmp:

[root at mothership tmp]# ls -alZ
drwxrwxrwt  root     root     system_u:object_r:tmp_t          .
drwxr-xr-x  root     root     system_u:object_r:root_t         ..
-rw-r--r--  root     root     root:object_r:tmp_t
-rw-r--r--  root     root     root:object_r:tmp_t              Apache-
drwxr-xr-x  root     root     root:object_r:tmp_t              .cpan
drwx------  apache   apache   root:object_r:httpd_tmp_t        dynamic
drwxr-xr-x  root     root     root:object_r:tmp_t              fastcgi
drwxrwxrwx  root     root     root:object_r:tmp_t              FileCache
drwxrwxrwt  root     root     user_u:object_r:tmp_t            .font-
-rw-r--r--  root     root     root:object_r:tmp_t              html-
-rw-r--r--  root     root     root:object_r:tmp_t              html-
drwxrwxrwt  root     root     user_u:object_r:tmp_t            .ICE-unix
drwx------  root     root                                      lost

You can see the files and directories created by FastCGI when Apache
fires up (when I had the FastCgiIpDir set to /tmp).

> Better to use an ACL than mode 777; e.g. 
> "setfacl -m 'apache:rwx' /var/log/httpd".

I got a "Operation not supported" error:

setfacl: /var/log/httpd: Operation not supported

> It only changes the type of the /usr/tmp symlink.  My guess is still
> that your program has some code (or a library it uses does) that
> tries /usr/tmp first, and is getting permission denial on that symlink
> because it should be usr_t, not tmp_t.

A good try, but it didn't work. :(

I actually tried turning off the separate log entirely, but I still
received errors:

avc:  denied  { ioctl } for  pid=2305 exe=/usr/bin/perl
path=/var/log/httpd/error_log dev=dm-5 ino=129070
tcontext=system_u:object_r:httpd_log_t tclass=file

Me = stumped.

Thanks for the help.


Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.

More information about the fedora-selinux-list mailing list