Bug 180482

Summary: Cacti does not work with targeted policy (apache)
Product: [Fedora] Fedora Reporter: Mike McGrath <imlinux>
Component: selinux-policy-targetedAssignee: James Antill <james.antill>
Status: CLOSED NEXTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-24 02:38:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike McGrath 2006-02-08 15:27:47 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7)

Description of problem:
I just got done packaging Cacti for Fedora Extras.  Its been approved but it doesn't work with SELinux.  Cacti stores log files in /var/log/cacti/ and round robin database files in /var/lib/cacti/rra/

To fix this problem it is possible to run the following commands:

chcon -R -t httpd_sys_content_t /var/log/cacti/
chcon -R -t httpd_sys_content_t /var/lib/cacti/rra/

It was suggested to me to get new contexts for Cacti incorperated: 

https://www.redhat.com/archives/fedora-extras-list/2006-January/msg01169.html



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install cacti
2. verify Selinux is enabled (targeted)
3. watch cacti fail.

Additional info:
Comment 1 Daniel Walsh 2006-02-09 13:47:35 UTC 
Does it work with

chcon -R -t httpd_log_t /var/log/cacti/
chcon --R -t httpd_var_lib_t /var/lib/cacti/rra/
Comment 2 Mike McGrath 2006-02-09 21:55:44 UTC 
The logs seem to work now (can be read) but rra doesn't seem to work.  I assume
you wanted -R instead of --R.  Here's the audit logs:

type=AVC msg=audit(1139522179.714:56): avc:  denied  { search } for  pid=2851
comm="rrdtool" name="rra" dev=hda2 ino=5505259
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_var_lib_t tclass=dir
type=SYSCALL msg=audit(1139522179.714:56): arch=40000003 syscall=5 success=no
exit=-13 a0=805f048 a1=0 a2=1b6 a3=805d660 items=1 pid=2851 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="rrdtool"
exe="/usr/bin/rrdtool"
type=CWD msg=audit(1139522179.714:56):  cwd="/usr/share/cacti"
type=PATH msg=audit(1139522179.714:56): item=0
name="/usr/share/cacti/rra/localhost_traffic_in_18.rrd" flags=101  inode=5505259
dev=03:02 mode=040755 ouid=101 ogid=0 rdev=00:00
type=AVC msg=audit(1139522179.770:57): avc:  denied  { search } for  pid=2852
comm="rrdtool" name="rra" dev=hda2 ino=5505259
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_var_lib_t tclass=dir
type=SYSCALL msg=audit(1139522179.770:57): arch=40000003 syscall=5 success=no
exit=-13 a0=9682cd8 a1=0 a2=1b6 a3=9683c80 items=1 pid=2852 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="rrdtool"
exe="/usr/bin/rrdtool"
type=CWD msg=audit(1139522179.770:57):  cwd="/usr/share/cacti"
type=PATH msg=audit(1139522179.770:57): item=0
name="/usr/share/cacti/rra/localhost_proc_7.rrd" flags=101  inode=5505259
dev=03:02 mode=040755 ouid=101 ogid=0 rdev=00:00
Comment 3 Daniel Walsh 2006-02-21 23:57:57 UTC 
Ok lets go back to 

chcon -R -t httpd_sys_content_t /var/lib/cacti/rra/

Updated in 2.2.19-2
Comment 4 Mike McGrath 2006-03-11 16:13:59 UTC 
Sorry, haven't had time to test this, I'll try to do it this weekend or early
next week.
Comment 5 Mike McGrath 2006-07-24 02:38:46 UTC 
Sorry this is long overdue.  This has corrected the issues cacti was having.