Description of problem: I am using lm_sensors/lm_sensors-sensord 2.10.5.1 to read and graph out the hwmon sensors on my motherboard. First, I tell sensord to generate an rrd database by uncommenting the following in /etc/sysconfig/sensord: # RRD_LOGFILE=/var/log/sensors.rrd Then I run 'sensord -g' as follows to generate a cgi script for displaying the database entries: sensord -g /var/www/html/sensord/pix --rrd-file /var/log/sensors.rrd -a >| sensord.cgi I then change the selinux context of sensord.cgi to: system_u:object_r:httpd_sys_content_t so that apache can read the cgi file. However, whenever apache runs the cgi file, I get the avc error message: type=AVC msg=audit(1197906287.942:1574): avc: denied { read } for pid=13522 comm="sensord.cgi" name="sensors.rrd" dev=sda7 ino=1734701 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=AVC msg=audit(1197906287.946:1575): avc: denied { getattr } for pid=13522 comm="sensord.cgi" path="/var/log/sensors.rrd" dev=sda7 ino=1734701 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file So, it seems that we need a way to allow apache to read log files.
You can modify your policy by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Or you can actually use system-config-selinux to generate policy for sensord.cgi.