On 03/14/2013 10:50 AM, m.roth@xxxxxxxxx wrote: > CentOS 6.4 (probably not the current kernel) > selinux-policy, selinux-policy-targetd 3.7.19-155.el6_3.14 > > And we're running SiteMinder from CA (and have *zero* control over that, > don't get me started) > > unconfined_u:system_r:httpd_t:s0 apache <...> LLAWP > /etc/httpd/conf/WebAgent.conf -APACHE22 > apache root unconfined_u:object_r:httpd_log_t:s0 /var/log/httpd/agent.log > > So, why would I get AVCs, and running them through audit2allow gives me: > #============= httpd_t ============== > allow httpd_t httpd_log_t:file write; > > Why on earth can't something running as httpd_t write to a logfile of > httpd_log_t in /var/log/httpd/? > > And then there's this... > > #============= setroubleshootd_t ============== > allow setroubleshootd_t httpd_sys_script_t:dir read; > allow setroubleshootd_t httpd_sys_script_t:file getattr; > > Shouldn't setroubleshootd have rights? > > mark My comment may be unhelpful because I do not even run apache, but I do run Red Hat Enterprise Linux Server release 6.4 (Santiago) that is surely up to date as of yesterday. My kernel is kernel-2.6.32-358.0.1.el6.x86_64 Although I just received a new one: kernel-2.6.32-358.2.1.el6.x86_64 I run with SELinux enabled in enforcing mode But what I notice is this: $ rpm -qa | grep selinux selinux-policy-targeted-3.7.19-195.el6_4.3.noarch libselinux-2.0.94-5.3.el6.i686 libselinux-utils-2.0.94-5.3.el6.x86_64 libselinux-python-2.0.94-5.3.el6.x86_64 selinux-policy-3.7.19-195.el6_4.3.noarch libselinux-2.0.94-5.3.el6.x86_64 I have no selinux-policy-targetd package installed. And no such file on my machine: $ locate selinux-policy-targetd $ Is this a package you had to load to get apache to work? Or are CentOS 6.4 and Red Hat Enterprise Linux 6.4 that different? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
