Hide Forgot
Description of problem: when services are run under apache via wsgi, they can no longer write their logs to their /var/log/<service>/ folder. Most recently, barbican and panko both failed when previous setup to write out /var/log/barbican/api.log and /var/log/panko/api.log. This had previously been working just fine. Version-Release number of selected component (if applicable): openstack-selinux-0.7.13-2.el7.noarch http://logs.openstack.org/13/448213/1/check/gate-puppet-openstack-integration-4-scenario002-tempest-centos-7/cacc415/console.html#_2017-03-29_07_00_05_419563 2017-03-29 07:00:05.419563 | SELinux is preventing /usr/sbin/httpd from open access on the file /var/log/barbican/api.log. 2017-03-29 07:00:05.419570 | 2017-03-29 07:00:05.419595 | ***** Plugin catchall (100. confidence) suggests ************************** 2017-03-29 07:00:05.419602 | 2017-03-29 07:00:05.419630 | If you believe that httpd should be allowed open access on the api.log file by default. 2017-03-29 07:00:05.419646 | Then you should report this as a bug. 2017-03-29 07:00:05.419668 | You can generate a local policy module to allow this access. 2017-03-29 07:00:05.419675 | Do 2017-03-29 07:00:05.419691 | allow this access for now by executing: 2017-03-29 07:00:05.419710 | # ausearch -c 'httpd' --raw | audit2allow -M my-httpd 2017-03-29 07:00:05.419723 | # semodule -i my-httpd.pp 2017-03-29 07:00:05.419733 | 2017-03-29 07:00:05.419740 | 2017-03-29 07:00:05.419752 | Additional Information: 2017-03-29 07:00:05.419773 | Source Context system_u:system_r:httpd_t:s0 2017-03-29 07:00:05.419795 | Target Context unconfined_u:object_r:var_log_t:s0 2017-03-29 07:00:05.419817 | Target Objects /var/log/barbican/api.log [ file ] 2017-03-29 07:00:05.419832 | Source httpd 2017-03-29 07:00:05.419850 | Source Path /usr/sbin/httpd 2017-03-29 07:00:05.419866 | Port <Unknown> 2017-03-29 07:00:05.419882 | Host <Unknown> 2017-03-29 07:00:05.419904 | Source RPM Packages httpd-2.4.6-45.el7.centos.x86_64 2017-03-29 07:00:05.419917 | Target RPM Packages 2017-03-29 07:00:05.419941 | Policy RPM selinux-policy-3.13.1-102.el7_3.15.noarch 2017-03-29 07:00:05.419956 | Selinux Enabled True 2017-03-29 07:00:05.419972 | Policy Type targeted 2017-03-29 07:00:05.419988 | Enforcing Mode Permissive 2017-03-29 07:00:05.420017 | Host Name centos-7-osic-cloud1-s3700-8148678 2017-03-29 07:00:05.420044 | Platform Linux centos-7-osic-cloud1-s3700-8148678 2017-03-29 07:00:05.457354 | 3.10.0-514.10.2.el7.x86_64 #1 SMP Fri Mar 3 2017-03-29 07:00:05.457427 | 00:04:05 UTC 2017 x86_64 x86_64 2017-03-29 07:00:05.457445 | Alert Count 1 2017-03-29 07:00:05.457851 | First Seen 2017-03-29 06:55:03 UTC 2017-03-29 07:00:05.457882 | Last Seen 2017-03-29 06:55:03 UTC 2017-03-29 07:00:05.457909 | Local ID 2dd4aa6b-9dde-4c09-b6cb-07cae22b0c61 2017-03-29 07:00:05.457916 | 2017-03-29 07:00:05.457929 | Raw Audit Messages 2017-03-29 07:00:05.458025 | type=AVC msg=audit(1490770503.768:2446): avc: denied { open } for pid=16990 comm="httpd" path="/var/log/barbican/api.log" dev="vda1" ino=5772151 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file 2017-03-29 07:00:05.458039 | 2017-03-29 07:00:05.458046 | 2017-03-29 07:00:05.458155 | type=SYSCALL msg=audit(1490770503.768:2446): arch=x86_64 syscall=open success=yes exit=ENOEXEC a0=7f324dc29da0 a1=441 a2=1b6 a3=24 items=0 ppid=16964 pid=16990 auid=4294967295 uid=491 gid=490 euid=491 suid=491 fsuid=491 egid=490 sgid=490 fsgid=490 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 2017-03-29 07:00:05.458164 | 2017-03-29 07:00:05.458195 | Hash: httpd,httpd_t,var_log_t,file,open
These are going to come in pretty regularly as we switch to Apache.
The problem here is that the log files need to be set individually (in general) to something httpd can read / write. Not all log files are necessarily written by Apache, so we tend to need to do this individually.
https://github.com/redhat-openstack/openstack-selinux/commit/ad96ed3d459797cc417cdbfaf1a869d4d285f50e For now, we'll just set a boolean that gives httpd_t access to known openstack types and var_log_t when being used as the OpenStack WSGI server. Once all OpenStack services have assigned types, we'll drop the use of var_log_t.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:3462