On 06/24/2010 10:17 PM, m.roth(a)5-cent.us wrote:
I'm tired of this. I think it's time for me to file a bug
report.
I have the current version of CA's Siteminder installed. I have the
current version of CentOS (5.5). I'm still getting selinux complaining
that siteminder can't write to its own logfiles.
ll -Z /var/log/httpd/smagent.log
-rw-r--r-- apache root system_u:object_r:httpd_log_t
/var/log/httpd/smagent.log
ll -Z /usr/local/opt/smwa-6qmr5-cr035-rhel30-x86-64/webagent/bin/LLAWP
-rwxrwxr-x root root system_u:object_r:bin_t
/usr/local/opt/smwa-6qmr5-cr035-rhel30-x86-64/webagent/bin/LLAWP*
I run sealert, and it tells me that I can allow this behavior by setting
httpd_unified on. It says that httpd_unified is off.
It is a bug in setroubleshoot if anything.
https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora
From the list of components choose "setroubleshoot".
The problem is:
1. setroubleshoot give the wrong advice.
2. Siteminder is not allowed to write to its log files because it runs
with httpd's selinux permissions and httpd is not allowed to write to
its log files. httpd does not need to be able to write to its log files.
I only appends to its log files instead.
3. Siteminder should open its log file to append instead of write.
In short:
Siteminder has a "bug": it opens its log file for write instead of append.
Setroubleshoot suggest a wrong fix; there is no predefined fix for this
issue
Quick & dirty fix:
mkdir ~/myhttpd; cd ~/myhttp;
echo "policy_module(myhttpd, 1.0.0)" > myhttpd.te;
echo "require { type httpd_t, httpd_log_t; }" >> myhttpd.te;
echo "allow httpd_t httpd_log_t:file write;" >> myhttpd.te;
make -f /usr/share/selinux/devel/Makefile myhttpd.pp
sudo semodule -i myhttpd.pp
It's on. It's been on. Therefore, selinux's error handling has a bug, and
is falling through to an incorrect diagnosis.
So, can someone give me the link to selinux's bugzilla?
mark
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux