Description of problem: I upgraded from FC4 to FC5 on my server and the apache rotatelogs command can't read from log files: audit(1144342092.191:821): avc: denied { read } for pid=7491 comm="rotatelogs" name="access.log.1144281600" dev=dm-2 ino=2943374 scontext=root:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.25-3.fc5 How reproducible: always Steps to Reproduce: 1. set up a website to use a log file definition like ErrorLog "|/usr/sbin/rotatelogs /web/yum/logs/error.log 604800" 2. 3. Actual results: logging fails because of above logged denial Expected results: log_t files should be readable/writable by rotatelogs. Additional info:
Here is what I had to add for this to work properly: [root@wintermute selinux]# more httpd.te module httpd 1.0; require { class file { create read }; class dir { add_name write }; type httpd_log_t; type httpd_sys_script_t; }; allow httpd_sys_script_t httpd_log_t:file { create read }; allow httpd_sys_script_t httpd_log_t:dir { add_name write }; [root@wintermute selinux]# Possibly rotatelogs shouldn't be running as a cgi script? It's more like the apache daemon itself than a cgi script.
If you turn off the boolean httpd_ssi_exec does it work properly? setsebool -P httpd_ssi_exec=0
Assuming 'semodule -b /usr/share/selinux/targeted/base.pp' resets policy to the default shipped without my modifications (is that true?), then 'setsebool -P httpd_ssi_exec=0' does not fix the problem. As an aside, if I change policy using semodule, do the changes survive reboots? If the targeted policy rpm is updated, are my changes incorporated into the new policy?
semodule changes are permanant and do survice a reboot.
So does 'semodule -b /usr/share/selinux/targeted/base.pp' reset the policy to the shipped default?
It resets the "base" policy to the shipped default. But if you loaded any other modules with semodule -i, those will be used also. If you want to remove those use semodule -r semodule -l clamav 1.0.0 w3c 1.2.1 xfs 1.0
The problem is that rotatelogs is running as a generic script httpd_sys_script_t and you don't want to give that access to httpd_log_t. One way I think you can work around it is to do... cp -a /usr/sbin/rotatelog /var/www/rotatelog chcon -t httpd_sys_script_rw_t /var/www/rotatelog (might need httpd_unconfined_script_exec_t instead). ...and use /var/www/rotatelog ... I'm not sure if that's the right fix though.
We could create a special context for /usr/sbin/rotatelog httpd_rotatelog_exec_t and httpd_rotatelog_t, and this would only be allowed to do it's thing. Then we could allow perhaps via booleans the transition from domain_auto_trans(httpd_sys_script_t, httpd_rotatelog_exec_t, httpd_rotatelog_t)
Created httpd_rotatelogs_exec_t in selinux-policy-2.2.47-3, has not been tested but is close to what you need.
I've just installed FC6 and have essentially the same problem. I believe now selinux won't allow httpd to execute rotatelogs. I've had to add this module: module tjb_httpd_rotatelogs 1.0; require { class file execute_no_trans; class file read; type httpd_t; type shell_exec_t; role system_r; }; allow httpd_t shell_exec_t:file execute_no_trans; allow httpd_t shell_exec_t:file read; How would I use httpd_rotatelogs_exec_t instead?
Closing bugs