Bug 188177 - default policy doesn't allow rotatelogs to read httpd_log_t type files
default policy doesn't allow rotatelogs to read httpd_log_t type files
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Antill
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-04-06 13:55 EDT by Thomas J. Baker
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:02:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas J. Baker 2006-04-06 13:55:30 EDT
Description of problem:

I upgraded from FC4 to FC5 on my server and the apache rotatelogs command can't
read from log files:

audit(1144342092.191:821): avc:  denied  { read } for  pid=7491
comm="rotatelogs" name="access.log.1144281600" dev=dm-2 ino=2943374
scontext=root:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:httpd_log_t:s0 tclass=file

Version-Release number of selected component (if applicable):

selinux-policy-targeted-2.2.25-3.fc5

How reproducible:

always

Steps to Reproduce:
1. set up a website to use a log file definition like

  ErrorLog "|/usr/sbin/rotatelogs /web/yum/logs/error.log 604800"

2. 
3.
  
Actual results:

logging fails because of above logged denial

Expected results:

log_t files should be readable/writable by rotatelogs. 

Additional info:
Comment 1 Thomas J. Baker 2006-04-06 16:10:55 EDT
Here is what I had to add for this to work properly:

[root@wintermute selinux]# more httpd.te
module httpd 1.0;

require {
        class file { create read };
        class dir { add_name write };

        type httpd_log_t;
        type httpd_sys_script_t;
};

allow httpd_sys_script_t httpd_log_t:file { create read };
allow httpd_sys_script_t httpd_log_t:dir { add_name write };
[root@wintermute selinux]#

Possibly rotatelogs shouldn't be running as a cgi script? It's more like the
apache daemon itself than a cgi script.
Comment 2 Daniel Walsh 2006-04-19 10:51:38 EDT
If you turn off the boolean httpd_ssi_exec does it work properly?

setsebool -P httpd_ssi_exec=0
Comment 3 Thomas J. Baker 2006-04-19 15:12:45 EDT
Assuming 'semodule -b /usr/share/selinux/targeted/base.pp' resets policy to the
default shipped without my modifications (is that true?), then 'setsebool -P
httpd_ssi_exec=0' does not fix the problem.

As an aside, if I change policy using semodule, do the changes survive reboots?
If  the targeted policy rpm is updated, are my changes incorporated into the new
policy? 
Comment 5 Daniel Walsh 2006-05-09 12:01:42 EDT
semodule changes are permanant and do survice a reboot.
Comment 6 Thomas J. Baker 2006-05-09 13:39:47 EDT
So does 'semodule -b /usr/share/selinux/targeted/base.pp' reset the policy to
the shipped default?
Comment 7 Daniel Walsh 2006-05-09 14:11:02 EDT
It resets the "base" policy to the shipped default.   But if you loaded any
other modules with semodule -i, those will be used also.  If you want to remove
those use semodule -r


semodule -l
clamav  1.0.0
w3c     1.2.1
xfs     1.0
Comment 8 James Antill 2006-06-06 18:40:33 EDT
 The problem is that rotatelogs is running as a generic script
httpd_sys_script_t and you don't want to give that access to httpd_log_t.
 One way I think you can work around it is to do...

cp -a /usr/sbin/rotatelog /var/www/rotatelog
chcon -t httpd_sys_script_rw_t /var/www/rotatelog

 (might need httpd_unconfined_script_exec_t instead).

...and use /var/www/rotatelog ... I'm not sure if that's the right fix though.
Comment 9 Daniel Walsh 2006-06-07 10:20:30 EDT
We could create a special context for /usr/sbin/rotatelog

httpd_rotatelog_exec_t and httpd_rotatelog_t, and this would only be allowed to
do it's thing.  Then we could allow perhaps via booleans the transition from 
domain_auto_trans(httpd_sys_script_t, httpd_rotatelog_exec_t, httpd_rotatelog_t)
Comment 10 Daniel Walsh 2006-06-15 22:17:01 EDT
Created httpd_rotatelogs_exec_t in selinux-policy-2.2.47-3, has not been tested
but is close to what you need.
Comment 11 Thomas J. Baker 2006-11-01 12:35:58 EST
I've just installed FC6 and have essentially the same problem. I believe now
selinux won't allow httpd to execute rotatelogs. I've had to add this module:

module tjb_httpd_rotatelogs 1.0;

require {
        class file execute_no_trans;
        class file read;
        type httpd_t; 
        type shell_exec_t; 
        role system_r; 
};

allow httpd_t shell_exec_t:file execute_no_trans;
allow httpd_t shell_exec_t:file read;

How would I use httpd_rotatelogs_exec_t instead?
Comment 12 Daniel Walsh 2007-03-28 16:02:21 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.