Bug 188177 - default policy doesn't allow rotatelogs to read httpd_log_t type files
Summary: default policy doesn't allow rotatelogs to read httpd_log_t type files
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: James Antill
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2006-04-06 17:55 UTC by Thomas J. Baker
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-28 20:02:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Thomas J. Baker 2006-04-06 17:55:30 UTC
Description of problem:

I upgraded from FC4 to FC5 on my server and the apache rotatelogs command can't
read from log files:

audit(1144342092.191:821): avc:  denied  { read } for  pid=7491
comm="rotatelogs" name="access.log.1144281600" dev=dm-2 ino=2943374
tcontext=system_u:object_r:httpd_log_t:s0 tclass=file

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. set up a website to use a log file definition like

  ErrorLog "|/usr/sbin/rotatelogs /web/yum/logs/error.log 604800"

Actual results:

logging fails because of above logged denial

Expected results:

log_t files should be readable/writable by rotatelogs. 

Additional info:

Comment 1 Thomas J. Baker 2006-04-06 20:10:55 UTC
Here is what I had to add for this to work properly:

[root@wintermute selinux]# more httpd.te
module httpd 1.0;

require {
        class file { create read };
        class dir { add_name write };

        type httpd_log_t;
        type httpd_sys_script_t;

allow httpd_sys_script_t httpd_log_t:file { create read };
allow httpd_sys_script_t httpd_log_t:dir { add_name write };
[root@wintermute selinux]#

Possibly rotatelogs shouldn't be running as a cgi script? It's more like the
apache daemon itself than a cgi script.

Comment 2 Daniel Walsh 2006-04-19 14:51:38 UTC
If you turn off the boolean httpd_ssi_exec does it work properly?

setsebool -P httpd_ssi_exec=0

Comment 3 Thomas J. Baker 2006-04-19 19:12:45 UTC
Assuming 'semodule -b /usr/share/selinux/targeted/base.pp' resets policy to the
default shipped without my modifications (is that true?), then 'setsebool -P
httpd_ssi_exec=0' does not fix the problem.

As an aside, if I change policy using semodule, do the changes survive reboots?
If  the targeted policy rpm is updated, are my changes incorporated into the new

Comment 5 Daniel Walsh 2006-05-09 16:01:42 UTC
semodule changes are permanant and do survice a reboot.

Comment 6 Thomas J. Baker 2006-05-09 17:39:47 UTC
So does 'semodule -b /usr/share/selinux/targeted/base.pp' reset the policy to
the shipped default?

Comment 7 Daniel Walsh 2006-05-09 18:11:02 UTC
It resets the "base" policy to the shipped default.   But if you loaded any
other modules with semodule -i, those will be used also.  If you want to remove
those use semodule -r

semodule -l
clamav  1.0.0
w3c     1.2.1
xfs     1.0

Comment 8 James Antill 2006-06-06 22:40:33 UTC
 The problem is that rotatelogs is running as a generic script
httpd_sys_script_t and you don't want to give that access to httpd_log_t.
 One way I think you can work around it is to do...

cp -a /usr/sbin/rotatelog /var/www/rotatelog
chcon -t httpd_sys_script_rw_t /var/www/rotatelog

 (might need httpd_unconfined_script_exec_t instead).

...and use /var/www/rotatelog ... I'm not sure if that's the right fix though.

Comment 9 Daniel Walsh 2006-06-07 14:20:30 UTC
We could create a special context for /usr/sbin/rotatelog

httpd_rotatelog_exec_t and httpd_rotatelog_t, and this would only be allowed to
do it's thing.  Then we could allow perhaps via booleans the transition from 
domain_auto_trans(httpd_sys_script_t, httpd_rotatelog_exec_t, httpd_rotatelog_t)

Comment 10 Daniel Walsh 2006-06-16 02:17:01 UTC
Created httpd_rotatelogs_exec_t in selinux-policy-2.2.47-3, has not been tested
but is close to what you need.

Comment 11 Thomas J. Baker 2006-11-01 17:35:58 UTC
I've just installed FC6 and have essentially the same problem. I believe now
selinux won't allow httpd to execute rotatelogs. I've had to add this module:

module tjb_httpd_rotatelogs 1.0;

require {
        class file execute_no_trans;
        class file read;
        type httpd_t; 
        type shell_exec_t; 
        role system_r; 

allow httpd_t shell_exec_t:file execute_no_trans;
allow httpd_t shell_exec_t:file read;

How would I use httpd_rotatelogs_exec_t instead?

Comment 12 Daniel Walsh 2007-03-28 20:02:21 UTC
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.