Bug 572812

Please attach the full source of the data.  This looks like a bug in the paranha_gui which should only be appending to a log file not writing to it.

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

If it is blocking anything.

\u0421\u0432\u043e\u0434\u043a\u0430:

SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files
apache_runtime_status.

\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435:

SELinux has denied the piranha_gui access to potentially mislabeled files
apache_runtime_status. This means that SELinux will not allow httpd to use these
files. If httpd should be allowed this access to these files you should change
the file context to one of the following types, httpd_tmp_t,
httpd_squirrelmail_t, httpd_var_lib_t, httpd_var_run_t, afs_cache_t, httpd_t,
squirrelmail_spool_t, httpd_lock_t, httpd_rw_content, httpd_cache_t,
httpd_tmpfs_t, httpdcontent, httpd_munin_content_rw_t,
httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t,
httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t,
httpd_nutups_cgi_content_rw_t, httpd_squid_content_rw_t,
httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t,
httpd_awstats_content_rw_t, root_t, httpd_w3c_validator_content_rw_t,
httpd_user_content_rw_t. Many third party apps install html files in directories
that SELinux policy cannot predict. These directories have to be labeled with a
file context which httpd can access.

\u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430:

If you want to change the file context of apache_runtime_status so that the
httpd daemon can access it, you need to execute it using semanage fcontext -a -t
FILE_TYPE 'apache_runtime_status'.
where FILE_TYPE is one of the following: httpd_tmp_t, httpd_squirrelmail_t,
httpd_var_lib_t, httpd_var_run_t, afs_cache_t, httpd_t, squirrelmail_spool_t,
httpd_lock_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpdcontent,
httpd_munin_content_rw_t, httpd_bugzilla_content_rw_t,
httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t,
httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t,
httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_rw_t,
httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, root_t,
httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t. You can look at the
httpd_selinux man page for additional information.

\u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f:

\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a unconfined_u:system_r:httpd_t:s0
\u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u043a\u043e\u043d\u0442\u0435\u043a\u0441 unconfined_u:object_r:httpd_log_t:s0
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b apache_runtime_status [ file ]
\u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a              piranha_gui
\u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/usr/sbin/httpd
\u041f\u043e\u0440\u0442                      <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e>
\u0423\u0437\u0435\u043b                      nikicat-laptop.butovo
\u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b httpd-2.2.14-1.fc12
\u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R 
RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438          selinux-policy-3.6.32-92.fc12
Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430        True
\u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438       targeted
\u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439  Enforcing
\u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f    httpd_bad_labels
\u0418\u043c\u044f \u0443\u0437\u043b\u0430               nikicat-laptop.butovo
\u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430            Linux nikicat-laptop.butovo
                              2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41
                              UTC 2010 x86_64 x86_64
\u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 5
\u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u041f\u0442\u043d 12 \u041c\u0430\u0440 2010 07:24:31
\u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u041f\u0442\u043d 12 \u041c\u0430\u0440 2010 07:31:43
\u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID         500d59f0-814c-45c4-82eb-c2b6437b9ba3
\u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a       

\u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f 

node=nikicat-laptop.butovo type=AVC msg=audit(1268368303.452:26188): avc:  denied  { write } for  pid=11531 comm="piranha_gui" name="apache_runtime_status" dev=dm-1 ino=4592401 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

node=nikicat-laptop.butovo type=SYSCALL msg=audit(1268368303.452:26188): arch=c000003e syscall=2 success=no exit=-13 a0=7f0bedd99f80 a1=80001 a2=1b6 a3=7fffd1355a90 items=0 ppid=1 pid=11531 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="piranha_gui" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

What is the path to the log file  if you change it to httpd_sys_content_rw_t, it would allow the access.

Works correctly after:

semanage fcontext -a -t httpd_sys_content_rw_t '/var/log/piranha(/.*)?'

should I add it to the post install script or it can be part of selinux policy?

*** Bug 572817 has been marked as a duplicate of this bug. ***

Marek, does http need to "write" to these log files or should it only be appending to them?   Can you change the php code to open these files for append?

@Daniel:

I'm not aware that in PHP we work with these log files. They are default log files created by apache, only reason why there are in different place is fact that we run our own httpd server.

Ok a better label is 

/var/log/piranha(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)


chcon -t httpd_log_t /var/log/piranha


Miroslav can you update policy.

Fixed in selinux-policy-3.6.32-106.fc12

selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12

selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.