Re: Request Tracker 3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2005-31-01 at 13:43 -0500, Colin Walters wrote:
> Right.  Can you try moving the log into /var/log/httpd?  I can't think
> of another solution short of installing the policy sources and adding
> the permissions.  My guess is that it is actually this permission that
> is stopping the program; the others are likely harmless.

Moving it to /var/log/httpd generated this error in error.log for httpd:

Log file /var/log/httpd/rt.log couldn't be written or created.


/var/log/messages had this to say:

avc:  denied  { read } for  pid=1516 exe=/usr/bin/perl name=tmp dev=dm-3
ino=12 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file

Plus some more denies for { ioctl }.

Here's the contents of /usr/tmp when apache starts:

[root@mothership tmp]# ls -alZ /usr/tmp/
drwxrwxrwt  root     root     system_u:object_r:tmp_t          .
drwxr-xr-x  root     root     system_u:object_r:var_t          ..
srw-------  apache   apache   root:object_r:httpd_tmp_t
38bb41ae9430107f1ab3add79fbea0aa
drwx------  apache   apache   root:object_r:httpd_tmp_t        dynamic


> > Actually, it's just /tmp.  
> 
> Is your /tmp a symlink elsewhere?  Or do you actually have a symlink
> in /tmp named "tmp"?  Are you *sure* it's really /tmp?  Do an 
> "ls -di /tmp" to see if its inode number is 12.  Then do 
> "ls -di /usr/tmp".

Well, it's not 12.

[root@mothership ~]# ls -di /tmp
2 /tmp


But:

[root@mothership tmp]# ls -di /usr/tmp
12 /usr/tmp


So...I changed the parameter for FastCgiIpDir to /usr/tmp, but there
were still more denials (a new one):

avc:  denied  { getattr } for  pid=2014 exe=/usr/bin/perl path=/var/log
dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_log_t tclass=dir


A ls -alZ shows that /tmp is a normal directory:

drwxrwxrwt  root     root     system_u:object_r:tmp_t          tmp


The same command within /tmp:

[root@mothership tmp]# ls -alZ
drwxrwxrwt  root     root     system_u:object_r:tmp_t          .
drwxr-xr-x  root     root     system_u:object_r:root_t         ..
-rw-r--r--  root     root     root:object_r:tmp_t
49822b18a8485fff12354f4fbd601494
-rw-r--r--  root     root     root:object_r:tmp_t              Apache-
Session-49822b18a8485fff12354f4fbd601494.lock
drwxr-xr-x  root     root     root:object_r:tmp_t              .cpan
drwx------  apache   apache   root:object_r:httpd_tmp_t        dynamic
drwxr-xr-x  root     root     root:object_r:tmp_t              fastcgi
drwxrwxrwx  root     root     root:object_r:tmp_t              FileCache
drwxrwxrwt  root     root     user_u:object_r:tmp_t            .font-
unix
-rw-r--r--  root     root     root:object_r:tmp_t              html-
scrubber.test.html
-rw-r--r--  root     root     root:object_r:tmp_t              html-
scrubber.test.html.html
drwxrwxrwt  root     root     user_u:object_r:tmp_t            .ICE-unix
drwx------  root     root                                      lost
+found


You can see the files and directories created by FastCGI when Apache
fires up (when I had the FastCgiIpDir set to /tmp).

> Better to use an ACL than mode 777; e.g. 
> "setfacl -m 'apache:rwx' /var/log/httpd".

I got a "Operation not supported" error:

setfacl: /var/log/httpd: Operation not supported


> It only changes the type of the /usr/tmp symlink.  My guess is still
> that your program has some code (or a library it uses does) that
> tries /usr/tmp first, and is getting permission denial on that symlink
> because it should be usr_t, not tmp_t.

A good try, but it didn't work. :(

I actually tried turning off the separate log entirely, but I still
received errors:

avc:  denied  { ioctl } for  pid=2305 exe=/usr/bin/perl
path=/var/log/httpd/error_log dev=dm-5 ino=129070
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_log_t tclass=file

Me = stumped.

Thanks for the help.

Regards,

Ranbir
-- 
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux