Résumé: SELinux is preventing /bin/bash from using potentially mislabeled files /usr/local/centreon/log/error-sql-2010-02-08.log. Description détaillée: SELinux has denied the sh access to potentially mislabeled files /usr/local/centreon/log/error-sql-2010-02-08.log. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_squirrelmail_t, httpd_var_lib_t, httpd_var_run_t, logfile, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, user_tmp_t, httpd_cache_t, httpd_tmpfs_t, user_home_t, httpd_tmp_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, root_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Autoriser l'accès: If you want to change the file context of /usr/local/centreon/log/error-sql-2010-02-08.log so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/usr/local/centreon/log/error-sql-2010-02-08.log'. where FILE_TYPE is one of the following: httpd_squirrelmail_t, httpd_var_lib_t, httpd_var_run_t, logfile, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, user_tmp_t, httpd_cache_t, httpd_tmpfs_t, user_home_t, httpd_tmp_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, root_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t. You can look at the httpd_selinux man page for additional information. Informations complémentaires: Contexte source system_u:system_r:httpd_t:s0 Contexte cible system_u:object_r:usr_t:s0 Objets du contexte /usr/local/centreon/log/error-sql-2010-02-08.log [ file ] source sh Chemin de la source /bin/bash Port <Inconnu> Hôte (removed) Paquetages RPM source bash-4.0.35-2.fc12 Paquetages RPM cible Politique RPM selinux-policy-3.6.32-78.fc12 Selinux activé True Type de politique targeted Mode strict Enforcing Nom du plugin httpd_bad_labels Nom de l'hôte (removed) Plateforme Linux galerien.galere.free.fr 2.6.31.12-174.2.3.fc12.x86_64 #1 SMP Mon Jan 18 19:52:07 UTC 2010 x86_64 x86_64 Compteur d'alertes 2 Première alerte lun. 08 févr. 2010 08:18:40 CET Dernière alerte lun. 08 févr. 2010 08:18:40 CET ID local 9a6d6534-3370-44db-9156-f491d6e38ea4 Numéros des lignes Messages d'audit bruts node=galerien.galere.free.fr type=AVC msg=audit(1265613520.677:1335): avc: denied { append } for pid=17826 comm="sh" name="error-sql-2010-02-08.log" dev=sdc5 ino=5154616 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=galerien.galere.free.fr type=SYSCALL msg=audit(1265613520.677:1335): arch=c000003e syscall=2 success=no exit=-13 a0=1035140 a1=401 a2=1b6 a3=0 items=0 ppid=2065 pid=17826 auid=4294967295 uid=48 gid=488 euid=48 suid=48 fsuid=48 egid=488 sgid=488 fsgid=488 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,sh,httpd_t,usr_t,file,append audit2allow suggests: #============= httpd_t ============== allow httpd_t usr_t:file append;
# chcon -R -t var_log_t /usr/local/centreon/log Will fix, centreon should move their log file to /var/log where it would be labelled correctly. Miroslav add /usr/local/centreon/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
Fixed in selinux-policy-3.6.32-91.fc12
selinux-policy-3.6.32-92.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-92.fc12
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-2953
selinux-policy-3.6.32-92.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.