Bug 452353 - SELinux is preventing logrotate (logrotate_t) "read" to ./glpi (httpd_sys_content_t).
SELinux is preventing logrotate (logrotate_t) "read" to ./glpi (httpd_sys_con...
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: glpi (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Remi Collet
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-21 05:11 EDT by Stephanos Manos
Modified: 2008-09-13 10:12 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-13 10:12:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephanos Manos 2008-06-21 05:11:25 EDT
Summary:

SELinux is preventing logrotate (logrotate_t) "read" to ./glpi
(httpd_sys_content_t).

Detailed Description:

SELinux denied access requested by logrotate. It is not expected that this
access is required by logrotate and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./glpi,

restorecon -v './glpi'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logrotate_t
Target Context                system_u:object_r:httpd_sys_content_t
Target Objects                ./glpi [ dir ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          viper.myhome-net.net
Source RPM Packages           logrotate-3.7.6-2.2.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-109.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     viper.myhome-net.net
Platform                      Linux viper.myhome-net.net 2.6.25.6-27.fc8 #1 SMP
                              Fri Jun 13 16:38:52 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Sat 21 Jun 2008 03:43:34 AM EEST
Last Seen                     Sat 21 Jun 2008 03:43:34 AM EEST
Local ID                      bc8e66bb-959b-4227-a759-7b61170cc451
Line Numbers                  

Raw Audit Messages            

host=viper.myhome-net.net type=AVC msg=audit(1214009014.387:294): avc:  denied 
{ read } for  pid=20471 comm="logrotate" name="glpi" dev=dm-0 ino=13336719
scontext=system_u:system_r:logrotate_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

host=viper.myhome-net.net type=SYSCALL msg=audit(1214009014.387:294):
arch=40000003 syscall=5 success=no exit=-13 a0=bfcda700 a1=98800 a2=11 a3=0
items=0 ppid=20469 pid=20471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate"
exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-06-22 06:20:37 EDT
Remi, 
Comment 2 Daniel Walsh 2008-06-22 06:25:28 EDT
Remi, 

You are setting the file context of the log file to 

httpd_sys_script_rw_t?  Do you need http to be able to write to this directory?
 It should be labeled httpd_log_t, this would allow other apps like logrotate to
work on it.  If 

Similarly /var/lib/glpi might be better off labeled httpd_var_lib_t
Comment 3 Remi Collet 2008-06-22 11:48:14 EDT
Yes http must be able to write to this directory because GLPI can create various
log file, some are known (php-error, sql-error) but other come from plugin.

I need some investigation on this issue.

Comment 4 Fedora Update System 2008-07-12 05:24:41 EDT
glpi-0.71-1.fc8 has been submitted as an update for Fedora 8
Comment 5 Fedora Update System 2008-07-15 08:15:55 EDT
glpi-0.71-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update glpi'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-6317
Comment 6 Remi Collet 2008-09-13 10:12:49 EDT
Switch to httpd_log_t is ok, except for installation script.

This is reported/fixed upstream.

All should be fine in 0.71.1-1

Note You need to log in before you can comment on or make changes to this bug.