Bug 1017364 - SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /home/mikhail/logs/nginx_access.log.
SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /ho...
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2013-10-09 13:41 EDT by Mikhail
Modified: 2013-10-24 10:40 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-10-24 10:40:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mikhail 2013-10-09 13:41:36 EDT
Description of problem:
SELinux is preventing /usr/sbin/nginx from 'setattr' accesses on the file /home/mikhail/logs/nginx_access.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that nginx should be allowed setattr access on the nginx_access.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep nginx /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/mikhail/logs/nginx_access.log [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           nginx-1.4.2-3.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-84.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.3-301.fc20.x86_64 #1 SMP Thu
                              Oct 3 00:57:21 UTC 2013 x86_64 x86_64
Alert Count                   4
First Seen                    2013-10-07 03:18:02 YEKT
Last Seen                     2013-10-09 03:43:01 YEKT
Local ID                      28e9bee5-d603-41d3-8ace-3cddd198beca

Raw Audit Messages
type=AVC msg=audit(1381268581.773:1192): avc:  denied  { setattr } for  pid=999 comm="nginx" name="nginx_access.log" dev="sdb" ino=167773487 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1381268581.773:1192): arch=x86_64 syscall=chown success=no exit=EACCES a0=7fce5f3cce14 a1=3dd a2=ffffffff a3=78 items=0 ppid=1 pid=999 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,user_home_t,file,setattr

Additional info:
reporter:       libreport-2.1.7
hashmarkername: setroubleshoot
kernel:         3.11.3-301.fc20.x86_64
type:           libreport

Potential duplicate: bug 995741
Comment 1 Lukas Vrabec 2013-10-11 08:06:56 EDT
Why is "nginx_access.log" stored in your homedir?
Comment 2 Mikhail 2013-10-11 08:19:12 EDT
Because I liked storing web application in home folder. It's easy for developing, update and safety.

server {
	if ($request_method !~ ^(GET|POST)$ ) {
		return 200;

    server_name	localhost;
    root	/home/mikhail/www;    
    error_log	/home/mikhail/logs/nginx_error.log;
    access_log	/home/mikhail/logs/nginx_access.log;

    location / {
	index	index.php index.html index.htm;
    #pass the PHP scripts to FastCGI server listening on
    location ~ \.php$ {
        fastcgi_index	index.php;
        fastcgi_param	SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include		fastcgi_params;
Comment 3 Lukas Vrabec 2013-10-11 08:23:58 EDT
OK, then you can allow it using : 
# semanage fcontext -a -t http_sys_content_rw_t '/home/mikhail/logs(/.*)?'
# restorecon -R -v /home/mikhail
as Daniel recommended to you in previous thread.
Comment 4 Mikhail 2013-10-11 09:57:24 EDT
Can you add to SE Linux troubleshooter plugin which can do it automatically?
Comment 5 Daniel Walsh 2013-10-11 15:26:05 EDT
Well I would advise people not to do this, so I do not want  a plugin to do it.

Having random directories in the homedir being written to by network apps it not a great idea.
Comment 6 Mikhail 2013-10-22 15:30:06 EDT
# semanage fcontext -a -t http_sys_content_rw_t '/home/mikhail/logs(/.*)?'
ValueError: Type http_sys_content_rw_t is invalid, must be a file or device type
Comment 7 Miroslav Grepl 2013-10-24 10:40:26 EDT
# semanage fcontext -a -t httpd_sys_rw_content_t '/home/mikhail/logs(/.*)?'

Note You need to log in before you can comment on or make changes to this bug.