Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1106299

Summary: httpd gets permission denied on /var/log/horizon/horizon.log
Product: Red Hat OpenStack Reporter: Giulio Fidente <gfidente>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED ERRATA QA Contact: Ami Jeain <ajeain>
Severity: high Docs Contact:
Priority: high    
Version: 5.0 (RHEL 7)CC: lhh, mgrepl, rhallise, yeylon
Target Milestone: rc   
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1111276 (view as bug list) Environment:
Last Closed: 2014-07-08 15:14:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1111276    
Attachments:
Description Flags
AVC messages from audit.log none

Description Giulio Fidente 2014-06-09 04:32:12 UTC
Description of problem:
httpd gets denied to open /var/log/horizon/horizon.log as per audit.log

ype=AVC msg=audit(1402287962.170:6450): avc:  denied  { open } for  pid=29209 comm="httpd" path="/var/log/horizon/horizon.log" dev="vda1" ino=26331445 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file

not sure but looks like the file (and dir) could be mislabeled as they should be httpd_log_t rather than var_log_t ?


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-153.el7_0.10.noarch
selinux-policy-3.12.1-153.el7_0.10.noarch

Comment 2 Giulio Fidente 2014-06-09 15:48:54 UTC
Created attachment 904768 [details]
AVC messages from audit.log

Comment 3 Lon Hohberger 2014-06-10 14:04:46 UTC
If all horizon's logs are spat out from Apache, then httpd_log_t would indeed work.

Comment 4 Lon Hohberger 2014-06-10 14:16:18 UTC
I asked Julie about it - it seems Horizon's logs are all written by Apache, so either changing the file context to httpd_log_t or adding a new one (e.g. horizon_log_t) and allowing httpd_t to write to it would work.

Miroslav, which is your preferred method?

Comment 6 Miroslav Grepl 2014-06-10 14:54:01 UTC
Yes, we added it to the latest builds.


diff --git a/apache.fc b/apache.fc
index 0d9db0a..7e70f67 100644
--- a/apache.fc
+++ b/apache.fc
@@ -137,6 +137,7 @@ ifdef(`distro_suse', `
 /var/log/apache(2)?(/.*)?              gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache-ssl(2)?(/.*)?          gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/glpi(/.*)?                    gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/horizon(/.*)?                 gen_context(system_u:object_r:httpd_log_t,s0)

Comment 10 Ami Jeain 2014-06-25 19:03:55 UTC
verified in latest openstack icehouse build.
# rpm -qa |grep django-horizon
python-django-horizon-2014.1-7.el7ost.noarch

Comment 12 errata-xmlrpc 2014-07-08 15:14:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0845.html