Bug 1136086 - SELinux is preventing nginx from 'open' accesses on the file /home/mikhail/logs/nginx_error.log.
Summary: SELinux is preventing nginx from 'open' accesses on the file /home/mikhail/lo...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a88424c5a37e6fd7e22457a6f69...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-01 15:52 UTC by Mikhail
Modified: 2014-09-03 10:00 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-09-03 10:00:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Mikhail 2014-09-01 15:52:02 UTC 
Description of problem:
SELinux is preventing nginx from 'open' accesses on the file /home/mikhail/logs/nginx_error.log.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow httpd to read user content
Then you must tell SELinux about this by enabling the 'httpd_read_user_content' boolean.
You can read 'None' man page for more details.
Do
setsebool -P httpd_read_user_content 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that nginx should be allowed open access on the nginx_error.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep nginx /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/mikhail/logs/nginx_error.log [ file ]
Source                        nginx
Source Path                   nginx
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-77.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.1-301.fc21.x86_64 #1 SMP Mon
                              Aug 25 13:06:39 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-09-01 21:51:35 YEKT
Last Seen                     2014-09-01 21:51:35 YEKT
Local ID                      d118090a-91a0-4f23-8cd5-4e1ca65449f2

Raw Audit Messages
type=AVC msg=audit(1409586695.22:1763): avc:  denied  { open } for  pid=8229 comm="nginx" path="/home/mikhail/logs/nginx_error.log" dev="sdb1" ino=243744 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file permissive=0


Hash: nginx,httpd_t,user_home_t,file,open

Version-Release number of selected component:
selinux-policy-3.13.1-77.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.1-301.fc21.x86_64
type:           libreport

Potential duplicate: bug 964379
Comment 1 Daniel Walsh 2014-09-03 10:00:13 UTC 
Why do you have logs in your home dir?  You will have to setup labels for these directories if you want apache to be allowed access or turn on the suggested boolean.

semanage fcontext -a -t httpd_log_t '/home/mikhail/logs(/.*)?'
restorecon -R -v /home/michail
Note You need to log in before you can comment on or make changes to this bug.