Bug 188177
Summary: | default policy doesn't allow rotatelogs to read httpd_log_t type files | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Thomas J. Baker <tjb> |
Component: | selinux-policy-targeted | Assignee: | James Antill <james.antill> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-03-28 20:02:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Thomas J. Baker
2006-04-06 17:55:30 UTC
Here is what I had to add for this to work properly: [root@wintermute selinux]# more httpd.te module httpd 1.0; require { class file { create read }; class dir { add_name write }; type httpd_log_t; type httpd_sys_script_t; }; allow httpd_sys_script_t httpd_log_t:file { create read }; allow httpd_sys_script_t httpd_log_t:dir { add_name write }; [root@wintermute selinux]# Possibly rotatelogs shouldn't be running as a cgi script? It's more like the apache daemon itself than a cgi script. If you turn off the boolean httpd_ssi_exec does it work properly? setsebool -P httpd_ssi_exec=0 Assuming 'semodule -b /usr/share/selinux/targeted/base.pp' resets policy to the default shipped without my modifications (is that true?), then 'setsebool -P httpd_ssi_exec=0' does not fix the problem. As an aside, if I change policy using semodule, do the changes survive reboots? If the targeted policy rpm is updated, are my changes incorporated into the new policy? semodule changes are permanant and do survice a reboot. So does 'semodule -b /usr/share/selinux/targeted/base.pp' reset the policy to the shipped default? It resets the "base" policy to the shipped default. But if you loaded any other modules with semodule -i, those will be used also. If you want to remove those use semodule -r semodule -l clamav 1.0.0 w3c 1.2.1 xfs 1.0 The problem is that rotatelogs is running as a generic script httpd_sys_script_t and you don't want to give that access to httpd_log_t. One way I think you can work around it is to do... cp -a /usr/sbin/rotatelog /var/www/rotatelog chcon -t httpd_sys_script_rw_t /var/www/rotatelog (might need httpd_unconfined_script_exec_t instead). ...and use /var/www/rotatelog ... I'm not sure if that's the right fix though. We could create a special context for /usr/sbin/rotatelog httpd_rotatelog_exec_t and httpd_rotatelog_t, and this would only be allowed to do it's thing. Then we could allow perhaps via booleans the transition from domain_auto_trans(httpd_sys_script_t, httpd_rotatelog_exec_t, httpd_rotatelog_t) Created httpd_rotatelogs_exec_t in selinux-policy-2.2.47-3, has not been tested but is close to what you need. I've just installed FC6 and have essentially the same problem. I believe now selinux won't allow httpd to execute rotatelogs. I've had to add this module: module tjb_httpd_rotatelogs 1.0; require { class file execute_no_trans; class file read; type httpd_t; type shell_exec_t; role system_r; }; allow httpd_t shell_exec_t:file execute_no_trans; allow httpd_t shell_exec_t:file read; How would I use httpd_rotatelogs_exec_t instead? Closing bugs |