Bug 1281886
| Summary: | selinux causes RT to prevent httpd from starting | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jason Tibbitts <j> |
| Component: | rt | Assignee: | Ralf Corsepius <rc040203> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | j, perl-devel, rc040203 |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-19 18:28:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
This is really just a heads up, and should probably be reassigned to selinux-policy, but I wanted to run it by you to make sure it's not an RT issue first. Basically, httpd updated last night, which means it restarted. Unfortunately this failed: Nov 13 09:57:43 rt2.math.uh.edu httpd[23688]: AH00526: Syntax error on line 29 of /etc/httpd/conf.d/virt-rt.conf: Nov 13 09:57:43 rt2.math.uh.edu httpd[23688]: Cannot write to '/var/log/rt/rt.log': Permission denied at /usr/share/perl5/vendor_perl/Log/Dispatch/File.pm line 107.\n Line 29 is the Plack setup, which fails; there's nothing actually wrong with the syntax of the apache configuration file. <Perl> use Plack::Handler::Apache2; Plack::Handler::Apache2->preload("/usr/sbin/rt-server"); </Perl> And it can't read /var/log/rt.log because of: time->Fri Nov 13 03:33:30 2015 type=AVC msg=audit(1447407210.438:3285): avc: denied { open } for pid=12191 comm="/usr/sbin/rt-se" path="/var/log/rt/rt.log" dev="dm-1" ino=393970 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0 setenforce 0 fixes it, of course, and after that there are no additional AVCs. My guess is that this broke with a selinux policy update (the last one was selinux-policy-targeted-3.13.1-128.18.fc22.noarch on October 29th) but nothing actually failed until httpd restarted last night.