Hide Forgot
Description of problem: Checked the ownership of all the log files, found that the owner of /var/log/openshift/site/devenv.log file is not consistant with other log files, the owner of that file is libra_passenger, but not root like other files, result like the following: [root@ip-10-185-38-210 ~]# ls -l /var/log/openshift/*/* -rw-rw----. 1 root libra_user 92207 Oct 7 23:27 /var/log/openshift/broker/development.log -rw-rw----. 1 root libra_user 0 Oct 4 13:22 /var/log/openshift/broker/production.log -rw-rw----. 1 root libra_user 135376 Oct 7 22:52 /var/log/openshift/broker/ruby193-mcollective-client.log -rw-rw----. 1 root libra_user 288 Oct 7 22:51 /var/log/openshift/broker/usage.log -rw-rw----. 1 root libra_user 12662 Oct 7 23:27 /var/log/openshift/broker/user_action.log -rw-rw----. 1 root root 111890 Oct 7 23:29 /var/log/openshift/node/cgroups.log -rw-rw----. 1 root root 0 Oct 4 13:23 /var/log/openshift/node/cgroups-trace.log -rw-rw----. 1 root root 79352 Oct 7 22:52 /var/log/openshift/node/platform.log -rw-rw----. 1 root root 85165 Oct 7 22:52 /var/log/openshift/node/platform-trace.log -rw-rw----. 1 root libra_user 0 Oct 4 13:25 /var/log/openshift/site/development.log -rw-r--r--. 1 libra_passenger libra_user 4752 Oct 7 23:16 /var/log/openshift/site/devenv.log -rw-rw----. 1 root libra_user 0 Oct 4 13:25 /var/log/openshift/site/production.log Version-Release number of selected component (if applicable): devenv-stage_488 How reproducible: always Steps to Reproduce: 1.ssh to the instance 2.ls -l /var/log/openshift/*/* 3. Actual results: The owner of /var/log/openshift/site/devenv.log file is not consistant with other log file. Expected results: The owner of log files should be consistant. Additional info:
Fix is in https://github.com/openshift/li/pull/2147
Commit pushed to master at https://github.com/openshift/li https://github.com/openshift/li/commit/61f9e584f25bbcd5eeac9829f3a1c14a4c548341 Bug 1016384 - fix the owner of the site devenv.log file
Tested on devenv_4030, the owner of the site devenv.log file has been changed to be root, so verify this bug, result is as following: [root@ip-10-100-215-134 ~]# ls -l /var/log/openshift/*/* -rw-rw----. 1 root libra_user 15885 Nov 13 21:31 /var/log/openshift/broker/development.log -rw-rw----. 1 root libra_user 0 Nov 13 18:57 /var/log/openshift/broker/production.log -rw-rw----. 1 root libra_user 14863 Nov 13 19:06 /var/log/openshift/broker/ruby193-mcollective-client.log -rw-rw----. 1 root libra_user 0 Nov 13 18:57 /var/log/openshift/broker/usage.log -rw-rw----. 1 root libra_user 6001 Nov 13 21:31 /var/log/openshift/broker/user_action.log -rw-rw----. 1 root root 102330 Nov 13 22:06 /var/log/openshift/node/cgroups.log -rw-rw----. 1 root root 0 Nov 13 19:00 /var/log/openshift/node/cgroups-trace.log -rw-rw----. 1 root root 31003 Nov 13 21:10 /var/log/openshift/node/platform.log -rw-rw----. 1 root root 32176 Nov 13 21:10 /var/log/openshift/node/platform-trace.log -rw-rw----. 1 root libra_user 0 Nov 13 18:58 /var/log/openshift/site/development.log -rw-rw----. 1 root libra_user 24943 Nov 13 21:35 /var/log/openshift/site/devenv.log -rw-rw----. 1 root libra_user 0 Nov 13 18:58 /var/log/openshift/site/production.log
Commit pushed to master at https://github.com/openshift/li https://github.com/openshift/li/commit/b244735885cf2de7d19997a71b6aa17797b71a5f rhc-devenv: Create devenv.log file Create an empty /var/log/openshift/site/devenv.log file. Otherwise, httpd fails to create devenv.log and instead generates AVC denials because httpd runs with an SELinux context with type httpd_t, /var/log/openshift/site has an SELinux context with type openshift_log_t, and current SELinux policy blocks an httpd_t process from writing to an openshift_log_t directory: % sesearch -A -s httpd_t -t openshift_log_t -c dir Found 1 semantic av rules: allow httpd_t file_type : dir { getattr search open } ; If the file exists, then SELinux policy does permit httpd to write to it: % sesearch -A -s httpd_t -t openshift_log_t -c file Found 1 semantic av rules: allow daemon logfile : file { ioctl getattr lock append } ; This commit is related to bug 1016384 and commit 61f9e584f25bbcd5eeac9829f3a1c14a4c548341.