Bug 180482 - Cacti does not work with targeted policy (apache)
Cacti does not work with targeted policy (apache)
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Antill
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-02-08 10:27 EST by Mike McGrath
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-23 22:38:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike McGrath 2006-02-08 10:27:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7)

Description of problem:
I just got done packaging Cacti for Fedora Extras.  Its been approved but it doesn't work with SELinux.  Cacti stores log files in /var/log/cacti/ and round robin database files in /var/lib/cacti/rra/

To fix this problem it is possible to run the following commands:

chcon -R -t httpd_sys_content_t /var/log/cacti/
chcon -R -t httpd_sys_content_t /var/lib/cacti/rra/

It was suggested to me to get new contexts for Cacti incorperated: 

https://www.redhat.com/archives/fedora-extras-list/2006-January/msg01169.html



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install cacti
2. verify Selinux is enabled (targeted)
3. watch cacti fail.

Additional info:
Comment 1 Daniel Walsh 2006-02-09 08:47:35 EST
Does it work with

chcon -R -t httpd_log_t /var/log/cacti/
chcon --R -t httpd_var_lib_t /var/lib/cacti/rra/
Comment 2 Mike McGrath 2006-02-09 16:55:44 EST
The logs seem to work now (can be read) but rra doesn't seem to work.  I assume
you wanted -R instead of --R.  Here's the audit logs:

type=AVC msg=audit(1139522179.714:56): avc:  denied  { search } for  pid=2851
comm="rrdtool" name="rra" dev=hda2 ino=5505259
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_var_lib_t tclass=dir
type=SYSCALL msg=audit(1139522179.714:56): arch=40000003 syscall=5 success=no
exit=-13 a0=805f048 a1=0 a2=1b6 a3=805d660 items=1 pid=2851 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="rrdtool"
exe="/usr/bin/rrdtool"
type=CWD msg=audit(1139522179.714:56):  cwd="/usr/share/cacti"
type=PATH msg=audit(1139522179.714:56): item=0
name="/usr/share/cacti/rra/localhost_traffic_in_18.rrd" flags=101  inode=5505259
dev=03:02 mode=040755 ouid=101 ogid=0 rdev=00:00
type=AVC msg=audit(1139522179.770:57): avc:  denied  { search } for  pid=2852
comm="rrdtool" name="rra" dev=hda2 ino=5505259
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_var_lib_t tclass=dir
type=SYSCALL msg=audit(1139522179.770:57): arch=40000003 syscall=5 success=no
exit=-13 a0=9682cd8 a1=0 a2=1b6 a3=9683c80 items=1 pid=2852 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="rrdtool"
exe="/usr/bin/rrdtool"
type=CWD msg=audit(1139522179.770:57):  cwd="/usr/share/cacti"
type=PATH msg=audit(1139522179.770:57): item=0
name="/usr/share/cacti/rra/localhost_proc_7.rrd" flags=101  inode=5505259
dev=03:02 mode=040755 ouid=101 ogid=0 rdev=00:00
Comment 3 Daniel Walsh 2006-02-21 18:57:57 EST
Ok lets go back to 

chcon -R -t httpd_sys_content_t /var/lib/cacti/rra/

Updated in 2.2.19-2
Comment 4 Mike McGrath 2006-03-11 11:13:59 EST
Sorry, haven't had time to test this, I'll try to do it this weekend or early
next week.
Comment 5 Mike McGrath 2006-07-23 22:38:46 EDT
Sorry this is long overdue.  This has corrected the issues cacti was having.

Note You need to log in before you can comment on or make changes to this bug.