Bug 425977 - sensord cgi script can't access /var/log/sensors.rrd
sensord cgi script can't access /var/log/sensors.rrd
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks: 1089558
  Show dependency treegraph
 
Reported: 2007-12-17 10:47 EST by Need Real Name
Modified: 2014-04-20 16:21 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1089558 (view as bug list)
Environment:
Last Closed: 2007-12-26 18:21:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2007-12-17 10:47:12 EST
Description of problem:
I am using lm_sensors/lm_sensors-sensord 2.10.5.1 to read and graph out the
hwmon sensors on my motherboard.

First, I tell sensord to generate an rrd database by uncommenting the following
in /etc/sysconfig/sensord:
# RRD_LOGFILE=/var/log/sensors.rrd

Then I run 'sensord -g' as follows to generate a cgi script for displaying the
database entries:
   sensord -g /var/www/html/sensord/pix --rrd-file /var/log/sensors.rrd  -a >|
sensord.cgi
I then change the selinux context of sensord.cgi to:
system_u:object_r:httpd_sys_content_t so that apache can read the cgi file.

However, whenever apache runs the cgi file, I get the avc error message:
type=AVC msg=audit(1197906287.942:1574): avc:  denied  { read } for  pid=13522
comm="sensord.cgi" name="sensors.rrd" dev=sda7 ino=1734701
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1197906287.946:1575): avc:  denied  { getattr } for 
pid=13522 comm="sensord.cgi" path="/var/log/sensors.rrd" dev=sda7 ino=1734701
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file

So, it seems that we need a way to allow apache to read log files.
Comment 1 Daniel Walsh 2007-12-26 18:21:03 EST
You can modify your policy by executing


# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Or you can actually use system-config-selinux to generate policy for sensord.cgi.


Note You need to log in before you can comment on or make changes to this bug.