On 11/23/2009 02:20 PM, m.roth@xxxxxxxxx wrote: > Apologies if this has been covered a million times; if so, please point me > to the post or thread that answers this. > > selinux has an error-handling problem. It complains (we're running it in > permissive mode, or it would be real grief): > host=<hostname> type=AVC msg=audit(1259003353.282:46730): avc: denied { > write } for pid=27369 comm="LLAWP" path="/var/log/httpd/smagent.log" > dev=sda3 ino=46107891 scontext=user_u:system_r:httpd_t:s0 > tcontext=user_u:object_r:httpd_log_t:s0 tclass=file > > host=<hostname> type=SYSCALL msg=audit(1259003353.282:46730): > arch=c000003e syscall=1 per=400000 success=yes exit=124 a0=15 > a1=2aaaab249000 a2=7c a3=7473657571655273 items=0 ppid=1 pid=27369 > auid=32870 uid=48 gid=0 euid=48 suid=48 fsuid=48 egid=0 sgid=0 fsgid=0 > tty=(none) ses=4473 comm="LLAWP" > exe="/usr/local/opt/smwa-6qmr5-cr013-rhas30-x86-64/webagent/bin/LLAWP" > subj=user_u:system_r:httpd_t:s0 key=(null) > > Now, running sealert tells me to set httpd_unified to 1. I've done this, > several times, and no joy, so obviously it is *not* the actual error. > > I've also tried restorecon. > > So, what's the actual error? I'm really tired of this, on more than one > server, cluttering my logs.... > > Thanks in advance. > > mark > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Have you reported this bug to webagent? They should be opening the log file for append, not for write. Simplest thing you could do is build a loadable policy module to allow this, or dontaudit it # grep avc /var/log/audit/audit.log | audit2allow -M mywebagent # semodule -i mywebagent.pp Then you can install the mywebagent.pp file on all offending machines. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list