Hash String generated from httpd_bad_labels,piranha_gui,httpd_t,httpd_log_t,file,write audit2allow suggests:
Please attach the full source of the data. This looks like a bug in the paranha_gui which should only be appending to a log file not writing to it. # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp If it is blocking anything.
\u0421\u0432\u043e\u0434\u043a\u0430: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files apache_runtime_status. \u041f\u043e\u0434\u0440\u043e\u0431\u043d\u043e\u0435 \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0435: SELinux has denied the piranha_gui access to potentially mislabeled files apache_runtime_status. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_tmp_t, httpd_squirrelmail_t, httpd_var_lib_t, httpd_var_run_t, afs_cache_t, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpdcontent, httpd_munin_content_rw_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, root_t, httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. \u0420\u0430\u0437\u0440\u0435\u0448\u0435\u043d\u0438\u0435 \u0434\u043e\u0441\u0442\u0443\u043f\u0430: If you want to change the file context of apache_runtime_status so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE 'apache_runtime_status'. where FILE_TYPE is one of the following: httpd_tmp_t, httpd_squirrelmail_t, httpd_var_lib_t, httpd_var_run_t, afs_cache_t, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, httpdcontent, httpd_munin_content_rw_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_rw_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_rw_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_rw_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_rw_t, httpd_awstats_content_rw_t, root_t, httpd_w3c_validator_content_rw_t, httpd_user_content_rw_t. You can look at the httpd_selinux man page for additional information. \u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0441\u0432\u0435\u0434\u0435\u043d\u0438\u044f: \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0439 \u043a\u043e\u043d\u0442\u0435\u043a unconfined_u:system_r:httpd_t:s0 \u0426\u0435\u043b\u0435\u0432\u043e\u0439 \u043a\u043e\u043d\u0442\u0435\u043a\u0441 unconfined_u:object_r:httpd_log_t:s0 \u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u041e\u0431\u044a\u0435\u043a\u0442\u044b apache_runtime_status [ file ] \u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a piranha_gui \u041f\u0443\u0442\u044c \u043a \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\Uffffffff/usr/sbin/httpd \u041f\u043e\u0440\u0442 <\u041d\u0435\u0438\u0437\u0432\u0435\u0441\u0442\u043d\u043e> \u0423\u0437\u0435\u043b nikicat-laptop.butovo \u0418\u0441\u0445\u043e\u0434\u043d\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b httpd-2.2.14-1.fc12 \u0426\u0435\u043b\u0435\u0432\u044b\u0435 \u043f\u0430\u043a\u0435\u0442\u044b R RPM \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 selinux-policy-3.6.32-92.fc12 Selinux \u0430\u043a\u0442\u0438\u0432\u043d\u0430 True \u0422\u0438\u043f \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0438 targeted \u041f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0439 Enforcing \u0418\u043c\u044f \u0434\u043e\u043f.\u043c\u043e\u0434\u0443\u043b\u044f httpd_bad_labels \u0418\u043c\u044f \u0443\u0437\u043b\u0430 nikicat-laptop.butovo \u041f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0430 Linux nikicat-laptop.butovo 2.6.32.9-70.fc12.x86_64 #1 SMP Wed Mar 3 04:40:41 UTC 2010 x86_64 x86_64 \u0421\u0447\u0435\u0442\u0447\u0438\u043a \u0443\u0432\u0435\u0434\u043e\u043c\u043b 5 \u041f\u0435\u0440\u0432\u044b\u0439 \u0437\u0430\u043c\u0435\u0447\u0435\u043d\u043d \u041f\u0442\u043d 12 \u041c\u0430\u0440 2010 07:24:31 \u041f\u043e\u0441\u043b\u0435\u0434\u043d\u0438\u0439 \u0437\u0430\u043c\u0435\u0447 \u041f\u0442\u043d 12 \u041c\u0430\u0440 2010 07:31:43 \u041b\u043e\u043a\u0430\u043b\u044c\u043d\u044b\u0439 ID 500d59f0-814c-45c4-82eb-c2b6437b9ba3 \u041d\u043e\u043c\u0435\u0440\u0430 \u0441\u0442\u0440\u043e\u043a \u0421\u044b\u0440\u044b\u0435 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f node=nikicat-laptop.butovo type=AVC msg=audit(1268368303.452:26188): avc: denied { write } for pid=11531 comm="piranha_gui" name="apache_runtime_status" dev=dm-1 ino=4592401 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file node=nikicat-laptop.butovo type=SYSCALL msg=audit(1268368303.452:26188): arch=c000003e syscall=2 success=no exit=-13 a0=7f0bedd99f80 a1=80001 a2=1b6 a3=7fffd1355a90 items=0 ppid=1 pid=11531 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="piranha_gui" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
What is the path to the log file if you change it to httpd_sys_content_rw_t, it would allow the access.
Works correctly after: semanage fcontext -a -t httpd_sys_content_rw_t '/var/log/piranha(/.*)?' should I add it to the post install script or it can be part of selinux policy?
*** Bug 572817 has been marked as a duplicate of this bug. ***
Marek, does http need to "write" to these log files or should it only be appending to them? Can you change the php code to open these files for append?
@Daniel: I'm not aware that in PHP we work with these log files. They are default log files created by apache, only reason why there are in different place is fact that we run our own httpd server.
Ok a better label is /var/log/piranha(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) chcon -t httpd_log_t /var/log/piranha Miroslav can you update policy.
Fixed in selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-106.fc12
selinux-policy-3.6.32-106.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.