Bug 1089371

Summary: SELinux denies access to /var/log/horizon/horizon.log
Product: [Fedora] Fedora Reporter: Matthias Runge <mrunge>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, itamar, Jan.van.Eldik, jose.castro.leon, jpichon, lvrabec, mgrepl, mrunge, nsantos
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-56.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1104609 (view as bug list) Environment:
Last Closed: 2014-05-30 12:40:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1104609    

Description Matthias Runge 2014-04-18 14:51:25 UTC 
[Fri Apr 18 14:47:32.267046 2014] [:error] [pid 1470] [remote ::1:11094] ValueError: Unable to configure handler 'file': [Errno 13] Permission denied: '/var/log/horizon/horizon.log'
^C
[root@sofja ~]# ls -lZ /var/log/httpd/access_log
-rw-r--r--. root root system_u:object_r:httpd_log_t:s0 /var/log/httpd/access_log
[root@sofja ~]# ls -lZ /var/log/horizon/horizon.log 
-rw-r--r--. apache apache system_u:object_r:var_log_t:s0   /var/log/horizon/horizon.log
Comment 1 Miroslav Grepl 2014-05-21 09:44:52 UTC 
How is /var/log/horizon/horizon.log created?

# rpm -qf /var/log/horizon

If you execute

# chcon -R -t httpd_log_t /var/log/horizon

does it fix the issue?
Comment 2 Matthias Runge 2014-05-22 07:03:13 UTC 
It's created by httpd due configuration of openstack-dashboard.

[root@turing ~]# rpm -qf /var/log/horizon/
openstack-dashboard-2014.1-1.fc21.noarch

After chcon, it looks like the issue is fixed.
Comment 3 Daniel Walsh 2014-05-25 10:39:45 UTC 
8414e1aef6778718c4b4101e033abe5006ee65d5 fixes this in git.
Comment 4 Matthias Runge 2014-06-02 14:20:00 UTC 
Thank you for fixing and building the package. Is it possible, to get this backported to f20 as well, as we have folks running OpenStack packages from Rawhide on F20 (via RDO repository, that's a pretty common pattern)
Comment 5 Lukas Vrabec 2014-11-07 13:27:08 UTC 
commit 52921ed8636a9bffc77cca1b9efd9a9abb40368a
Author: Dan Walsh <dwalsh>
Date:   Sun May 25 06:39:21 2014 -0400

    Label /var/log/horizon as an apache log


back ported to f20.