Description of problem: SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /home/mikhail/logs/nginx_access.log. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nginx should be allowed setattr access on the nginx_access.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nginx /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:user_home_t:s0 Target Objects /home/mikhail/logs/nginx_access.log [ file ] Source nginx Source Path /usr/sbin/nginx Port <Unknown> Host (removed) Source RPM Packages nginx-1.4.2-3.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-84.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.3-301.fc20.x86_64 #1 SMP Thu Oct 3 00:57:21 UTC 2013 x86_64 x86_64 Alert Count 4 First Seen 2013-10-07 03:18:02 YEKT Last Seen 2013-10-09 03:43:01 YEKT Local ID 28e9bee5-d603-41d3-8ace-3cddd198beca Raw Audit Messages type=AVC msg=audit(1381268581.773:1192): avc: denied { setattr } for pid=999 comm="nginx" name="nginx_access.log" dev="sdb" ino=167773487 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1381268581.773:1192): arch=x86_64 syscall=chown success=no exit=EACCES a0=7fce5f3cce14 a1=3dd a2=ffffffff a3=78 items=0 ppid=1 pid=999 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null) Hash: nginx,httpd_t,user_home_t,file,setattr Additional info: reporter: libreport-2.1.7 hashmarkername: setroubleshoot kernel: 3.11.3-301.fc20.x86_64 type: libreport Potential duplicate: bug 995741
Why is "nginx_access.log" stored in your homedir?
Because I liked storing web application in home folder. It's easy for developing, update and safety. server { if ($request_method !~ ^(GET|POST)$ ) { return 200; } listen 127.0.0.1:80; server_name localhost; root /home/mikhail/www; error_log /home/mikhail/logs/nginx_error.log; access_log /home/mikhail/logs/nginx_access.log; location / { index index.php index.html index.htm; } #pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
OK, then you can allow it using : # semanage fcontext -a -t http_sys_content_rw_t '/home/mikhail/logs(/.*)?' # restorecon -R -v /home/mikhail as Daniel recommended to you in previous thread.
Can you add to SE Linux troubleshooter plugin which can do it automatically?
Well I would advise people not to do this, so I do not want a plugin to do it. Having random directories in the homedir being written to by network apps it not a great idea.
# semanage fcontext -a -t http_sys_content_rw_t '/home/mikhail/logs(/.*)?' ValueError: Type http_sys_content_rw_t is invalid, must be a file or device type
# semanage fcontext -a -t httpd_sys_rw_content_t '/home/mikhail/logs(/.*)?'