180482 – Cacti does not work with targeted policy (apache)

Bug 180482 - Cacti does not work with targeted policy (apache)

Summary: Cacti does not work with targeted policy (apache)

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	James Antill
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-02-08 15:27 UTC by Mike McGrath
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-07-24 02:38:46 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mike McGrath 2006-02-08 15:27:47 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7)

Description of problem:
I just got done packaging Cacti for Fedora Extras.  Its been approved but it doesn't work with SELinux.  Cacti stores log files in /var/log/cacti/ and round robin database files in /var/lib/cacti/rra/

To fix this problem it is possible to run the following commands:

chcon -R -t httpd_sys_content_t /var/log/cacti/
chcon -R -t httpd_sys_content_t /var/lib/cacti/rra/

It was suggested to me to get new contexts for Cacti incorperated: 

https://www.redhat.com/archives/fedora-extras-list/2006-January/msg01169.html



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install cacti
2. verify Selinux is enabled (targeted)
3. watch cacti fail.

Additional info:

Comment 1 Daniel Walsh 2006-02-09 13:47:35 UTC

Does it work with

chcon -R -t httpd_log_t /var/log/cacti/
chcon --R -t httpd_var_lib_t /var/lib/cacti/rra/

Comment 2 Mike McGrath 2006-02-09 21:55:44 UTC

The logs seem to work now (can be read) but rra doesn't seem to work.  I assume
you wanted -R instead of --R.  Here's the audit logs:

type=AVC msg=audit(1139522179.714:56): avc:  denied  { search } for  pid=2851
comm="rrdtool" name="rra" dev=hda2 ino=5505259
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_var_lib_t tclass=dir
type=SYSCALL msg=audit(1139522179.714:56): arch=40000003 syscall=5 success=no
exit=-13 a0=805f048 a1=0 a2=1b6 a3=805d660 items=1 pid=2851 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="rrdtool"
exe="/usr/bin/rrdtool"
type=CWD msg=audit(1139522179.714:56):  cwd="/usr/share/cacti"
type=PATH msg=audit(1139522179.714:56): item=0
name="/usr/share/cacti/rra/localhost_traffic_in_18.rrd" flags=101  inode=5505259
dev=03:02 mode=040755 ouid=101 ogid=0 rdev=00:00
type=AVC msg=audit(1139522179.770:57): avc:  denied  { search } for  pid=2852
comm="rrdtool" name="rra" dev=hda2 ino=5505259
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_var_lib_t tclass=dir
type=SYSCALL msg=audit(1139522179.770:57): arch=40000003 syscall=5 success=no
exit=-13 a0=9682cd8 a1=0 a2=1b6 a3=9683c80 items=1 pid=2852 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="rrdtool"
exe="/usr/bin/rrdtool"
type=CWD msg=audit(1139522179.770:57):  cwd="/usr/share/cacti"
type=PATH msg=audit(1139522179.770:57): item=0
name="/usr/share/cacti/rra/localhost_proc_7.rrd" flags=101  inode=5505259
dev=03:02 mode=040755 ouid=101 ogid=0 rdev=00:00

Comment 3 Daniel Walsh 2006-02-21 23:57:57 UTC

Ok lets go back to 

chcon -R -t httpd_sys_content_t /var/lib/cacti/rra/

Updated in 2.2.19-2

Comment 4 Mike McGrath 2006-03-11 16:13:59 UTC

Sorry, haven't had time to test this, I'll try to do it this weekend or early
next week.

Comment 5 Mike McGrath 2006-07-24 02:38:46 UTC

Sorry this is long overdue.  This has corrected the issues cacti was having.

Note You need to log in before you can comment on or make changes to this bug.