Request Tracker 3

Colin Walters walters at redhat.com
Tue Feb 1 01:07:19 UTC 2005 

On Mon, 2005-01-31 at 19:34 -0500, Kanwar Ranbir Sandhu wrote:
> On Mon, 2005-31-01 at 13:43 -0500, Colin Walters wrote:
> > Right.  Can you try moving the log into /var/log/httpd?  I can't think
> > of another solution short of installing the policy sources and adding
> > the permissions.  My guess is that it is actually this permission that
> > is stopping the program; the others are likely harmless.
> 
> Moving it to /var/log/httpd generated this error in error.log for httpd:
> 
> Log file /var/log/httpd/rt.log couldn't be written or created.

Is the type on rt.log still httpd_log_t?  Use ls -Z to inspect.

> [root at mothership tmp]# ls -di /usr/tmp
> 12 /usr/tmp

Yeah, that's what I thought.  If you look at the denial message, the
inode number was 12.  If your /usr isn't on a separate filesystem, then
you know the denial was on the /usr/tmp symlink.

I'm baffled you're still getting the denial though.  Can you confirm
with "ls -dZ /usr/tmp" that the type is usr_t?

> avc:  denied  { getattr } for  pid=2014 exe=/usr/bin/perl path=/var/log
> dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:var_log_t tclass=dir

If after everything else doesn't work, here's what you can do:

yum install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
echo 'allow httpd_sys_script_t var_log_t:dir { getattr search }' > domains/misc/local.te
make reload

There's work going on in SELinux upstream to make this easier.

> I got a "Operation not supported" error:
> 
> setfacl: /var/log/httpd: Operation not supported

Try:

mount -oremount,acl /

This should be the default IMO; also note you need to do it for each
filesystem you want ACLs on.

> I actually tried turning off the separate log entirely, but I still
> received errors:
> 
> avc:  denied  { ioctl } for  pid=2305 exe=/usr/bin/perl
> path=/var/log/httpd/error_log dev=dm-5 ino=129070
> scontext=root:system_r:httpd_sys_script_t
> tcontext=system_u:object_r:httpd_log_t tclass=file

I'd be fairly surprised if this is really the problem preventing the
program from working.  Was this the only denial you got after turning
off the separate log?

Anyways, this shouldn't be harmful to turn on (following the previous
steps):
echo 'allow httpd_sys_script_t httpd_log_t:file { ioctl };' >> domains/misc/local.te
make reload

> Me = stumped.

Hope the above helps.  Sometimes debugging this stuff can be a huge pain
if you have to dig into some obscure Perl library or the like, other
times it's a very simple fix.  This unfortunately looks to be one of the
former cases :/

More information about the fedora-selinux-list mailing list