Bug 1136086
| Summary: | SELinux is preventing nginx from 'open' accesses on the file /home/mikhail/logs/nginx_error.log. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 21 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:a88424c5a37e6fd7e22457a6f6950323caeff6b386ea695afb9336a3ff223d7c | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-03 10:00:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Why do you have logs in your home dir? You will have to setup labels for these directories if you want apache to be allowed access or turn on the suggested boolean. semanage fcontext -a -t httpd_log_t '/home/mikhail/logs(/.*)?' restorecon -R -v /home/michail |
Description of problem: SELinux is preventing nginx from 'open' accesses on the file /home/mikhail/logs/nginx_error.log. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow httpd to read user content Then you must tell SELinux about this by enabling the 'httpd_read_user_content' boolean. You can read 'None' man page for more details. Do setsebool -P httpd_read_user_content 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that nginx should be allowed open access on the nginx_error.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nginx /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:user_home_t:s0 Target Objects /home/mikhail/logs/nginx_error.log [ file ] Source nginx Source Path nginx Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-77.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.1-301.fc21.x86_64 #1 SMP Mon Aug 25 13:06:39 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-09-01 21:51:35 YEKT Last Seen 2014-09-01 21:51:35 YEKT Local ID d118090a-91a0-4f23-8cd5-4e1ca65449f2 Raw Audit Messages type=AVC msg=audit(1409586695.22:1763): avc: denied { open } for pid=8229 comm="nginx" path="/home/mikhail/logs/nginx_error.log" dev="sdb1" ino=243744 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0 Hash: nginx,httpd_t,user_home_t,file,open Version-Release number of selected component: selinux-policy-3.13.1-77.fc21.noarch Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.16.1-301.fc21.x86_64 type: libreport Potential duplicate: bug 964379