Summary: SELinux is preventing /usr/sbin/httpd from using potentially mislabeled files /usr/local/zend/var/log/gui_vhost_error.log. Detailed Description: SELinux has denied the httpd access to potentially mislabeled files /usr/local/zend/var/log/gui_vhost_error.log. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_var_lib_t, httpd_var_run_t, user_home_t, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, user_cron_spool_t, httpd_tmp_t, logfile, httpd_squirrelmail_t, rpm_tmp_t, user_tmp_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /usr/local/zend/var/log/gui_vhost_error.log so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/usr/local/zend/var/log/gui_vhost_error.log'. where FILE_TYPE is one of the following: httpd_var_lib_t, httpd_var_run_t, user_home_t, httpd_t, squirrelmail_spool_t, httpd_lock_t, httpd_log_t, httpd_rw_content, httpd_cache_t, httpd_tmpfs_t, user_cron_spool_t, httpd_tmp_t, logfile, httpd_squirrelmail_t, rpm_tmp_t, user_tmp_t, httpd_squid_content_ra_t, httpd_squid_content_rw_t, httpd_apcupsd_cgi_content_ra_t, httpd_apcupsd_cgi_content_rw_t, httpd_prewikka_content_ra_t, httpd_prewikka_content_rw_t, httpd_awstats_content_ra_t, httpd_awstats_content_rw_t, httpd_w3c_validator_content_ra_t, httpd_w3c_validator_content_rw_t, httpd_user_content_ra_t, httpd_user_content_rw_t, httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, httpdcontent, httpd_munin_content_ra_t, httpd_munin_content_rw_t, root_t, httpd_bugzilla_content_ra_t, httpd_bugzilla_content_rw_t, httpd_nagios_content_ra_t, httpd_nagios_content_rw_t, httpd_sys_content_ra_t, httpd_sys_content_rw_t, httpd_sys_content_rw_t, httpd_cvs_content_ra_t, httpd_cvs_content_rw_t, httpd_git_content_ra_t, httpd_git_content_rw_t, httpd_nutups_cgi_content_ra_t, httpd_nutups_cgi_content_rw_t. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects /usr/local/zend/var/log/gui_vhost_error.log [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host (removed) Source RPM Packages httpd-2.2.14-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-114.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Alert Count 16 First Seen Sat 22 May 2010 01:53:34 AM MYT Last Seen Sat 22 May 2010 02:22:07 AM MYT Local ID 819c0d72-d567-44eb-8f92-32594fef08ff Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1274466127.647:26): avc: denied { append } for pid=2783 comm="httpd" name="gui_vhost_error.log" dev=sda1 ino=265749 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1274466127.647:26): arch=40000003 syscall=5 success=no exit=-13 a0=19f81c0 a1=88441 a2=1b6 a3=400e items=0 ppid=2782 pid=2783 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,httpd,httpd_t,usr_t,file,append audit2allow suggests: #============= httpd_t ============== allow httpd_t usr_t:file append;
*** This bug has been marked as a duplicate of bug 594840 ***