Request Tracker 3
Kanwar Ranbir Sandhu
m3freak at rogers.com
Mon Jan 31 18:16:41 UTC 2005
On Mon, 2005-31-01 at 12:12 -0500, Colin Walters wrote:
> Have you seen the Fedora Apache/SELinux guide?
> http://fedora.redhat.com/docs/selinux-apache-fc3/
Yes, I read that when I started to migrate SugarCRM from a FC1 box to a
FC3 server, so I'm familiar with selinux. But, probably not enough to
figure out what's wrong right now.
> > avc: denied { getattr } for pid=681 exe=/usr/bin/perl path=/var/log
> > dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t
> > tcontext=system_u:object_r:var_log_t tclass=dir
>
> Hmm. Given that we allow access to httpd_log_t which is in the default
> configuration a subdirectory of var_log_t, I'm surprised that this
> access is not allowed. Ideally though the app should not need this.
In RT, you can define a separate log file instead of having everything
dumped to /var/log/messages. I haven't tried yet, but I'm assuming if I
disabled the separate log file, this error would disappear.
I would rather keep /var/log/rt.log. It makes reading the log a lot
easier since it will only contain messages pertaining to RT.
> > avc: denied { ioctl } for pid=693 exe=/usr/bin/perl
> > path=/var/log/httpd/error_log dev=dm-5 ino=129070
> > scontext=root:system_r:httpd_sys_script_t
> > tcontext=system_u:object_r:httpd_log_t tclass=file
>
> This one is probably harmless; I think perl does an ioctl even on
> regular files in many situations (to find out whether it's a tty?).
I'll have to look into it.
> > avc: denied { read } for pid=693 exe=/usr/bin/perl name=tmp dev=dm-3
> > ino=12 scontext=root:system_r:httpd_sys_script_t
> > tcontext=system_u:object_r:tmp_t tclass=lnk_file
>
> Is this /usr/tmp? Try running "chcon -h -t usr_t /usr/tmp". This is a
> bug in our policy package because it doesn't presently ensure that it's
> relabeled on upgrades.
Actually, it's just /tmp. FastCGI dumps its temporary files there while
it's running. The location can be changed, but in the past (on FC1)
when I've tried using /var/log/httpd/fastcgi, I just get a bunch of
errors about FastCGI not having permission to write to that directory (I
believe the only way I managed to fix that was by changing permissions
on /var/log/httpd to 777).
The command you mentioned above won't work in this case, will it? I'm
assuming that context is meant only for directories under /usr.
Thanks,
Ranbir
--
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com
More information about the fedora-selinux-list
mailing list