Bug 1017364 – SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /home/mikhail/logs/nginx_access.log.

Bug 1017364 - SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /home/mikhail/logs/nginx_access.log.

Summary:	SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /ho...

Status:	CLOSED NOTABUG

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	policycoreutils (Show other bugs)
Sub Component:
Version:	20
Hardware:	x86_64 Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:	abrt_hash:a24aff20d5e7b60d039e0b80014...
Keywords:	Reopened

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2013-10-09 13:41 EDT by Mikhail
Modified:	2013-10-24 10:40 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-10-24 10:40:26 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Mikhail 2013-10-09 13:41:36 EDT

Description of problem:
SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /home/mikhail/logs/nginx_access.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed setattr access on the nginx_access.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep nginx /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/mikhail/logs/nginx_access.log [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           nginx-1.4.2-3.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-84.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.3-301.fc20.x86_64 #1 SMP Thu
                              Oct 3 00:57:21 UTC 2013 x86_64 x86_64
Alert Count                   4
First Seen                    2013-10-07 03:18:02 YEKT
Last Seen                     2013-10-09 03:43:01 YEKT
Local ID                      28e9bee5-d603-41d3-8ace-3cddd198beca

Raw Audit Messages
type=AVC msg=audit(1381268581.773:1192): avc:  denied  { setattr } for  pid=999 comm="nginx" name="nginx_access.log" dev="sdb" ino=167773487 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1381268581.773:1192): arch=x86_64 syscall=chown success=no exit=EACCES a0=7fce5f3cce14 a1=3dd a2=ffffffff a3=78 items=0 ppid=1 pid=999 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,user_home_t,file,setattr

Additional info:
reporter:       libreport-2.1.7
hashmarkername: setroubleshoot
kernel:         3.11.3-301.fc20.x86_64
type:           libreport

Potential duplicate: bug 995741

Comment 1 Lukas Vrabec 2013-10-11 08:06:56 EDT

Why is "nginx_access.log" stored in your homedir?

Comment 2 Mikhail 2013-10-11 08:19:12 EDT

Because I liked storing web application in home folder. It's easy for developing, update and safety.

server {
	if ($request_method !~ ^(GET|POST)$ ) {
		return 200;
	}

    listen	127.0.0.1:80;
    server_name	localhost;
    root	/home/mikhail/www;    
    error_log	/home/mikhail/logs/nginx_error.log;
    access_log	/home/mikhail/logs/nginx_access.log;

    location / {
	index	index.php index.html index.htm;
    }
    #pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
    location ~ \.php$ {
        fastcgi_pass	127.0.0.1:9000;
        fastcgi_index	index.php;
        fastcgi_param	SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include		fastcgi_params;
    } 
}

Comment 3 Lukas Vrabec 2013-10-11 08:23:58 EDT

OK, then you can allow it using : 
# semanage fcontext -a -t http_sys_content_rw_t '/home/mikhail/logs(/.*)?'
# restorecon -R -v /home/mikhail
as Daniel recommended to you in previous thread.

Comment 4 Mikhail 2013-10-11 09:57:24 EDT

Can you add to SE Linux troubleshooter plugin which can do it automatically?

Comment 5 Daniel Walsh 2013-10-11 15:26:05 EDT

Well I would advise people not to do this, so I do not want  a plugin to do it.

Having random directories in the homedir being written to by network apps it not a great idea.

Comment 6 Mikhail 2013-10-22 15:30:06 EDT

# semanage fcontext -a -t http_sys_content_rw_t '/home/mikhail/logs(/.*)?'
ValueError: Type http_sys_content_rw_t is invalid, must be a file or device type

Comment 7 Miroslav Grepl 2013-10-24 10:40:26 EDT

# semanage fcontext -a -t httpd_sys_rw_content_t '/home/mikhail/logs(/.*)?'

Note You need to log in before you can comment on or make changes to this bug.