Bug 1045875

Summary: SELinux is preventing /usr/sbin/httpd from 'open' accesses on the file /var/log/php_errors.log.
Product: [Fedora] Fedora Reporter: amreg <amreg.redhat>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: amreg.redhat, dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:93000204a0dbea0b350e5e31e54052054bdd342fe42b79e8f371f93d9eb4c858
Fixed In Version: selinux-policy-3.12.1-74.18.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-17 21:07:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description amreg 2013-12-22 18:24:18 UTC 
Description of problem:
On my local Apache server (localhost), I was accessing a web page containing a PHP script I've just modified (in order to test it), so I suppose PHP wanted to log an error.
SELinux is preventing /usr/sbin/httpd from 'open' accesses on the file /var/log/php_errors.log.

*****  Plugin catchall (100. confidence) suggests  ***************************

If vous pensez que httpd devrait être autorisé à accéder open sur php_errors.log file par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/php_errors.log [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           httpd-2.4.6-2.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.15.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.12.5-200.fc19.i686.PAE #1 SMP
                              Tue Dec 17 22:35:54 UTC 2013 i686 i686
Alert Count                   7
First Seen                    2013-12-22 19:16:22 CET
Last Seen                     2013-12-22 19:16:22 CET
Local ID                      915890bf-577a-49fa-b171-a42082284f2b

Raw Audit Messages
type=AVC msg=audit(1387736182.526:701): avc:  denied  { open } for  pid=11324 comm="httpd" path="/var/log/php_errors.log" dev="md126p1" ino=1572965 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file


type=SYSCALL msg=audit(1387736182.526:701): arch=i386 syscall=open success=no exit=EACCES a0=b93b08f0 a1=441 a2=1a4 a3=b93b08f1 items=0 ppid=822 pid=11324 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,var_log_t,file,open

Additional info:
reporter:       libreport-2.1.10
hashmarkername: setroubleshoot
kernel:         3.12.5-200.fc19.i686.PAE
type:           libreport

Potential duplicate: bug 709246
Comment 1 amreg 2013-12-28 17:24:41 UTC 
Description of problem:
I was attempting to call an HTML/PHP page on my local box (using a local httpd server), because I've just modified the PHP script and I wanted to test/debug it. PHP is a module to the HTTP server (Apache).
The /var/log/php_errors.log is labeled "system_u:object_r:var_log_t:s0", as are many files in the same directory.
Is it a label conflict with those expected by httpd (i.e. should this log file be labelled something like "system_u:object_r:httpd_log_t:s0") ? Are they specific labels for HTTP or for PHP ? And in that case why did this file come with a "generic" "var_log_t" label, instead of the correct one?



Additional info:
reporter:       libreport-2.1.10
hashmarkername: setroubleshoot
kernel:         3.12.5-200.fc19.i686.PAE
type:           libreport
Comment 2 Daniel Walsh 2014-01-02 17:52:41 UTC 
Currently we don't know anything about /var/log/php_errors.log in policy?  Is this something you created or a standard location for this?

You can change the label to httpd_log_t.  If it is standard we need to add this by default.
Comment 3 amreg 2014-01-18 12:49:21 UTC 
(In reply to Daniel Walsh from comment #2)
> Currently we don't know anything about /var/log/php_errors.log in policy? 
> Is this something you created or a standard location for this?

(Sorry for the delay, but I had to track down everything I did, to try to give the best possible answer).

The location where PHP expects to find "php_error.log" is defined in an option of php.ini (usually located itself in /etc). The comments in /etc/php.ini about this option are copied here below :

; Log errors to specified file. PHP's default behavior is to leave this value
; empty.
; http://php.net/error-log
; Example:
;error_log = php_errors.log

This could explain why it is not foreseen in a standard SE policy, but at some point in the debugging process the need for such a specific log file could arise, and it was my situation so I needed to activate this option.

I first tried with the relative path shown in the example, but could not find where the error file were created (relative path to "what" is unclear in the comment above).

So I eventually set an absolute path to make it appear in the directory that seemed to me the best suitable for this kind of file (/var/log), setting the above option to :
error_log = /var/log/php_errors.log

Obviously the above comment does not indicate which SE labels should be used for it, so I left the default labels for that directory (e.g. var_log_t).

I don't really understand how labels are managed, but I guess that if PHP is used as an Apache module, it "inherits" the labels attached to Apache (i.e. httpd_log_t), so the php_errors.log file should be labelled the same (and maybe a better location for it should be /var/log/httpd rather than /var/log) ?

Unfortunately in the meantime my PHP script is debugged so I no longer generate errors to populate the error file.

HTH, but if additional info is required, please ask.
Comment 4 Miroslav Grepl 2014-01-20 08:53:44 UTC 
Yes, 

httpd_log_t 

is the right label for it. I added


 /var/log/suphp\.log.*  --      gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php_errors\.log.*     --      gen_context(system_u:object_r:httpd_log_t,s0)

The best solution would be have 

/var/log/php 

directory.
Comment 5 Fedora Update System 2014-02-11 22:09:48 UTC 
selinux-policy-3.12.1-74.18.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.18.fc19
Comment 6 Fedora Update System 2014-02-12 14:50:06 UTC 
Package selinux-policy-3.12.1-74.18.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.18.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2409/selinux-policy-3.12.1-74.18.fc19
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2014-02-17 21:07:41 UTC 
selinux-policy-3.12.1-74.18.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.