Bug 1183986

Summary: graphite-web needs type "httpd_log_t" for files in "/var/log/graphite-web(/.*)?"
Product: [Fedora] Fedora Reporter: Piotr Popieluch <piotr1212>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dwalsh, jamielinux, jonathansteffan
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-11 21:39:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Piotr Popieluch 2015-01-20 11:18:24 UTC 
Description of problem:

Graphite default httpd config tries to write logfiles to /var/log/graphite-web(/.*)? which results in an avc denial. 

When I run:
semanage fcontext -a -t httpd_log_t '/var/log/graphite-web(/.*)?'
and 
restorecon -R /var/log/graphite-web
it works as expected


Version-Release number of selected component (if applicable):
graphite-web 0.9.12-8




Actual results:

type=AVC msg=audit(1421751412.731:3441): avc:  denied  { open } for  pid=3053 comm="httpd" path="/var/log/graphite-web/info.log" dev="dm-1" ino=1774573 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0


Expected results:


Additional info:


Please add httpd_log_t for /var/log/graphite-web(/.*)? to the selinux-policy on all active branches
Comment 1 Jaroslav Reznik 2015-03-03 16:44:37 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle.
Changing version to '22'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22