Bug 594840
| Summary: | SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /usr/local/zend/var/log/gui_vhost_error.log. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Clement <spyworldxp> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-10-01 06:06:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 594842 has been marked as a duplicate of this bug. *** # chcon -R -t var_log_t /usr/local/zend/var/log Will fix. But I guess you will need to label the "/usr/local/zend" directory as apache content. Look at #593866 bug. |
Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /usr/local/zend/var/log/gui_vhost_error.log. Detailed Description: SELinux has denied the httpd access to potentially mislabeled files /usr/local/zend/var/log/gui_vhost_error.log. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_lib_t, httpd_var_run_t, user_home_t, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, user_cron_spool_t, httpd_tmp_t, logfile, httpd_squirrelmail_t, rpm_tmp_t, user_tmp_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /usr/local/zend/var/log/gui_vhost_error.log so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/usr/local/zend/var/log/gui_vhost_error.log'. where FILE_TYPE is one of the following: httpd_var_lib_t, httpd_var_run_t, user_home_t, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, user_cron_spool_t, httpd_tmp_t, logfile, httpd_squirrelmail_t, rpm_tmp_t, user_tmp_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects /usr/local/zend/var/log/gui_vhost_error.log [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-114.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Alert Count 2 First Seen Sat 22 May 2010 01:58:22 AM MYT Last Seen Sat 22 May 2010 02:06:49 AM MYT Local ID 50c5d67d-83c2-4b69-8700-38f739a419af Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274465209.125:6): avc: denied { append } for pid=1648 comm="httpd" name="gui_vhost_error.log" dev=sda1 ino=265749 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1274465209.125:6): arch=40000003 syscall=5 success=no exit=-13 a0=1beb1c0 a1=88441 a2=1b6 a3=400e items=0 ppid=1647 pid=1648 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,usr_t,file,append audit2allow suggests: #============= httpd_t ============== allow httpd_t usr_t:file append;