Re: selinux and smagent

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/07/2010 04:45 PM, m.roth@xxxxxxxxx wrote:
> I never did solve this, and I'm looking at it again. Selinux still gripes
> (it's in permissive mode, or this would be more of a problem).
> httpd_unified is on, which is what the *wrong* error message from selinux
> tells me will fix this.
> 
> Given the info below, *should* I chcon (or semanage)
> /var/log/httpd/smagent.log to the same type as the httpd error.log? Will
> that make selinux happy?
> 
>        mark, not happy with selinux
> 
> 
> host=biblio type=AVC msg=audit(1262787360.769:5531): avc:  denied  { write
> } for  pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3
> ino=46107941 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
> 

Apache can not and will not write to its log files. The log file should
be open for append only. This is so that a compromized web server can
not wipe its audit trail.

You should consider this to be a bug in smagent.

If you want to just allow it any way (discouraged) than you can do the
following:

echo "avc:  denied  { write } for  pid=1654 comm="LLAWP"
path="/var/log/httpd/smagent.log" dev=sda3 ino=46107941
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file" | audit2allow -M
myfaultysmagent; sudo semodule -i myfaultysmagent.pp

Hth

> ll -Z /var/log/httpd/smagent.log
> -rw-r--r--  apache root user_u:object_r:httpd_log_t
> /var/log/httpd/smagent.log
> 
> ll -Z /usr/local/opt/<blah>/webagent/bin/LLAWP
> -rwxrwxr-x  root root system_u:object_r:bin_t
> /usr/local/opt/<blah>/webagent/bin/LLAWP
> 
> ll -Z /var/log/httpd/error_log
> -rw-r--r--  root root system_u:object_r:httpd_log_t
> /var/log/httpd/error_log
> 
> ll -Z /usr/sbin/httpd
> -rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd
> 
> 
> 
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Attachment: signature.asc
Description: OpenPGP digital signature

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux