Bug 1150902

Summary: selinux prevents httpd to write to /var/log/horizon/horizon.log
Product: [Community] RDO Reporter: Matthias Runge <mrunge>
Component: openstack-puppet-modulesAssignee: Lukas Bezdicka <lbezdick>
Status: CLOSED CURRENTRELEASE QA Contact: Shai Revivo <srevivo>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: athomas, chris.brown, dominick.grift, dwalsh, lbezdick, lvrabec, mgrepl, mrunge, plautrba, srevivo, whayutin
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-18 06:32:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthias Runge 2014-10-09 07:14:39 UTC 
Description of problem:
openstack-dashboard uses /var/log/horizon for log files.

policy apparently denies to access that:

type=AVC msg=audit(1412836262.715:4454): avc:  denied  { open } for  pid=6445 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1412836360.505:4767): avc:  denied  { open } for  pid=6458 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1412836528.320:5317): avc:  denied  { open } for  pid=6467 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1412837235.000:1929): avc:  denied  { open } for  pid=1902 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1412837236.640:1936): avc:  denied  { open } for  pid=2127 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0


ls -lZa /var/log/horizon/
drwxr-x---. apache apache system_u:object_r:var_log_t:s0   .
drwxr-xr-x. root   root   system_u:object_r:var_log_t:s0   ..
-rw-r-----. apache apache system_u:object_r:var_log_t:s0   horizon.log
-rw-r--r--. apache apache system_u:object_r:var_log_t:s0   horizon.log.1


selinux-policy-3.12.1-188.fc20.noarch
Comment 2 Daniel Walsh 2014-10-12 11:56:46 UTC 
restorecon -R -v /var/log/horizon

This is a mislabeled directory.
Comment 3 Miroslav Grepl 2014-10-13 08:40:11 UTC 
We have issues with this.

Matthias,
do you know how /var/log/horizon/horizon.log was placed?
Comment 4 Matthias Runge 2014-10-13 09:12:57 UTC 
Miroslav,

it was created by openstack-packstack. 

Lucas, is there a way to prevent this kind of issue? If I understood your comment correctly, openstack-puppet-modules builds own selinux policies etc? In that case, this would be an issue with o-p-m and not with selinux-policy.
Comment 5 Matthias Runge 2014-10-24 12:11:05 UTC 
*** Bug 1156148 has been marked as a duplicate of this bug. ***
Comment 6 Lukas Bezdicka 2014-10-24 12:31:13 UTC 
This is o-p-m issue.
Comment 9 Christopher Brown 2017-06-17 16:58:01 UTC 
I'm pretty sure SELinux allows httpd to write to horizon log now so this can be closed?