On 06/24/2010 10:17 PM, m.roth@xxxxxxxxx wrote: > I'm tired of this. I think it's time for me to file a bug report. > > I have the current version of CA's Siteminder installed. I have the > current version of CentOS (5.5). I'm still getting selinux complaining > that siteminder can't write to its own logfiles. > ll -Z /var/log/httpd/smagent.log > -rw-r--r-- apache root system_u:object_r:httpd_log_t > /var/log/httpd/smagent.log > ll -Z /usr/local/opt/smwa-6qmr5-cr035-rhel30-x86-64/webagent/bin/LLAWP > -rwxrwxr-x root root system_u:object_r:bin_t > /usr/local/opt/smwa-6qmr5-cr035-rhel30-x86-64/webagent/bin/LLAWP* > > I run sealert, and it tells me that I can allow this behavior by setting > httpd_unified on. It says that httpd_unified is off. It is a bug in setroubleshoot if anything. https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora From the list of components choose "setroubleshoot". The problem is: 1. setroubleshoot give the wrong advice. 2. Siteminder is not allowed to write to its log files because it runs with httpd's selinux permissions and httpd is not allowed to write to its log files. httpd does not need to be able to write to its log files. I only appends to its log files instead. 3. Siteminder should open its log file to append instead of write. In short: Siteminder has a "bug": it opens its log file for write instead of append. Setroubleshoot suggest a wrong fix; there is no predefined fix for this issue Quick & dirty fix: mkdir ~/myhttpd; cd ~/myhttp; echo "policy_module(myhttpd, 1.0.0)" > myhttpd.te; echo "require { type httpd_t, httpd_log_t; }" >> myhttpd.te; echo "allow httpd_t httpd_log_t:file write;" >> myhttpd.te; make -f /usr/share/selinux/devel/Makefile myhttpd.pp sudo semodule -i myhttpd.pp > > It's on. It's been on. Therefore, selinux's error handling has a bug, and > is falling through to an incorrect diagnosis. > > So, can someone give me the link to selinux's bugzilla? > > mark > > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux