1150902 – selinux prevents httpd to write to /var/log/horizon/horizon.log

RDO tickets are now tracked in Jira https://issues.redhat.com/projects/RDO/issues/

Bug 1150902 - selinux prevents httpd to write to /var/log/horizon/horizon.log

Summary: selinux prevents httpd to write to /var/log/horizon/horizon.log

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RDO
Classification:	Community
Component:	openstack-puppet-modules
Sub Component:
Version:	unspecified
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Lukas Bezdicka
QA Contact:	Shai Revivo
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1156148 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-09 07:14 UTC by Matthias Runge
Modified:	2017-06-18 06:32 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-06-18 06:32:14 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matthias Runge 2014-10-09 07:14:39 UTC

Description of problem:
openstack-dashboard uses /var/log/horizon for log files.

policy apparently denies to access that:

type=AVC msg=audit(1412836262.715:4454): avc:  denied  { open } for  pid=6445 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1412836360.505:4767): avc:  denied  { open } for  pid=6458 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1412836528.320:5317): avc:  denied  { open } for  pid=6467 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
type=AVC msg=audit(1412837235.000:1929): avc:  denied  { open } for  pid=1902 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1412837236.640:1936): avc:  denied  { open } for  pid=2127 comm="httpd" path="/var/log/horizon/horizon.log" dev="dm-1" ino=4194308 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0


ls -lZa /var/log/horizon/
drwxr-x---. apache apache system_u:object_r:var_log_t:s0   .
drwxr-xr-x. root   root   system_u:object_r:var_log_t:s0   ..
-rw-r-----. apache apache system_u:object_r:var_log_t:s0   horizon.log
-rw-r--r--. apache apache system_u:object_r:var_log_t:s0   horizon.log.1


selinux-policy-3.12.1-188.fc20.noarch

Comment 2 Daniel Walsh 2014-10-12 11:56:46 UTC

restorecon -R -v /var/log/horizon

This is a mislabeled directory.

Comment 3 Miroslav Grepl 2014-10-13 08:40:11 UTC

We have issues with this.

Matthias,
do you know how /var/log/horizon/horizon.log was placed?

Comment 4 Matthias Runge 2014-10-13 09:12:57 UTC

Miroslav,

it was created by openstack-packstack. 

Lucas, is there a way to prevent this kind of issue? If I understood your comment correctly, openstack-puppet-modules builds own selinux policies etc? In that case, this would be an issue with o-p-m and not with selinux-policy.

Comment 5 Matthias Runge 2014-10-24 12:11:05 UTC

*** Bug 1156148 has been marked as a duplicate of this bug. ***

Comment 6 Lukas Bezdicka 2014-10-24 12:31:13 UTC

This is o-p-m issue.

Comment 9 Christopher Brown 2017-06-17 16:58:01 UTC

I'm pretty sure SELinux allows httpd to write to horizon log now so this can be closed?

Note You need to log in before you can comment on or make changes to this bug.