Bug 1017364

Summary:	SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /home/mikhail/logs/nginx_access.log.
Product:	[Fedora] Fedora	Reporter:	Mikhail <mikhail.v.gavrilov>
Component:	policycoreutils	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED NOTABUG	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	20	CC:	dominick.grift, dwalsh, lvrabec, mgrepl, mikhail.v.gavrilov
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:	abrt_hash:a24aff20d5e7b60d039e0b80014ca3f6a9b2e46e09016d75df4c4f145ab42892
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-10-24 14:40:26 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Mikhail 2013-10-09 17:41:36 UTC

Description of problem:
SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /home/mikhail/logs/nginx_access.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed setattr access on the nginx_access.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep nginx /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/mikhail/logs/nginx_access.log [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           nginx-1.4.2-3.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-84.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.3-301.fc20.x86_64 #1 SMP Thu
                              Oct 3 00:57:21 UTC 2013 x86_64 x86_64
Alert Count                   4
First Seen                    2013-10-07 03:18:02 YEKT
Last Seen                     2013-10-09 03:43:01 YEKT
Local ID                      28e9bee5-d603-41d3-8ace-3cddd198beca

Raw Audit Messages
type=AVC msg=audit(1381268581.773:1192): avc:  denied  { setattr } for  pid=999 comm="nginx" name="nginx_access.log" dev="sdb" ino=167773487 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1381268581.773:1192): arch=x86_64 syscall=chown success=no exit=EACCES a0=7fce5f3cce14 a1=3dd a2=ffffffff a3=78 items=0 ppid=1 pid=999 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,user_home_t,file,setattr

Additional info:
reporter:       libreport-2.1.7
hashmarkername: setroubleshoot
kernel:         3.11.3-301.fc20.x86_64
type:           libreport

Potential duplicate: bug 995741

Comment 1 Lukas Vrabec 2013-10-11 12:06:56 UTC

Why is "nginx_access.log" stored in your homedir?

Comment 2 Mikhail 2013-10-11 12:19:12 UTC

Because I liked storing web application in home folder. It's easy for developing, update and safety.

server {
	if ($request_method !~ ^(GET|POST)$ ) {
		return 200;
	}

    listen	127.0.0.1:80;
    server_name	localhost;
    root	/home/mikhail/www;    
    error_log	/home/mikhail/logs/nginx_error.log;
    access_log	/home/mikhail/logs/nginx_access.log;

    location / {
	index	index.php index.html index.htm;
    }
    #pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    location ~ \.php$ {
        fastcgi_pass	127.0.0.1:9000;
        fastcgi_index	index.php;
        fastcgi_param	SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include		fastcgi_params;
    } 
}

Comment 3 Lukas Vrabec 2013-10-11 12:23:58 UTC

OK, then you can allow it using : 
# semanage fcontext -a -t http_sys_content_rw_t '/home/mikhail/logs(/.*)?'
# restorecon -R -v /home/mikhail
as Daniel recommended to you in previous thread.

Comment 4 Mikhail 2013-10-11 13:57:24 UTC

Can you add to SE Linux troubleshooter plugin which can do it automatically?

Comment 5 Daniel Walsh 2013-10-11 19:26:05 UTC

Well I would advise people not to do this, so I do not want  a plugin to do it.

Having random directories in the homedir being written to by network apps it not a great idea.

Comment 6 Mikhail 2013-10-22 19:30:06 UTC

# semanage fcontext -a -t http_sys_content_rw_t '/home/mikhail/logs(/.*)?'
ValueError: Type http_sys_content_rw_t is invalid, must be a file or device type

Comment 7 Miroslav Grepl 2013-10-24 14:40:26 UTC

# semanage fcontext -a -t httpd_sys_rw_content_t '/home/mikhail/logs(/.*)?'