https://bugzilla.redhat.com/show_bug.cgi?id=1281886 Bug ID: 1281886 Summary: selinux causes RT to prevent httpd from starting Product: Fedora Version: 22 Component: rt Assignee: rc040203@xxxxxxxxxx Reporter: tibbs@xxxxxxxxxxx QA Contact: extras-qa@xxxxxxxxxxxxxxxxx CC: perl-devel@xxxxxxxxxxxxxxxxxxxxxxx, rc040203@xxxxxxxxxx, tibbs@xxxxxxxxxxx This is really just a heads up, and should probably be reassigned to selinux-policy, but I wanted to run it by you to make sure it's not an RT issue first. Basically, httpd updated last night, which means it restarted. Unfortunately this failed: Nov 13 09:57:43 rt2.math.uh.edu httpd[23688]: AH00526: Syntax error on line 29 of /etc/httpd/conf.d/virt-rt.conf: Nov 13 09:57:43 rt2.math.uh.edu httpd[23688]: Cannot write to '/var/log/rt/rt.log': Permission denied at /usr/share/perl5/vendor_perl/Log/Dispatch/File.pm line 107.\n Line 29 is the Plack setup, which fails; there's nothing actually wrong with the syntax of the apache configuration file. <Perl> use Plack::Handler::Apache2; Plack::Handler::Apache2->preload("/usr/sbin/rt-server"); </Perl> And it can't read /var/log/rt.log because of: time->Fri Nov 13 03:33:30 2015 type=AVC msg=audit(1447407210.438:3285): avc: denied { open } for pid=12191 comm="/usr/sbin/rt-se" path="/var/log/rt/rt.log" dev="dm-1" ino=393970 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 setenforce 0 fixes it, of course, and after that there are no additional AVCs. My guess is that this broke with a selinux policy update (the last one was selinux-policy-targeted-3.13.1-128.18.fc22.noarch on October 29th) but nothing actually failed until httpd restarted last night. -- You are receiving this mail because: You are on the CC list for the bug. -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
