On Mon, 2005-31-01 at 13:43 -0500, Colin Walters wrote:
Right. Can you try moving the log into /var/log/httpd? I can't
think
of another solution short of installing the policy sources and adding
the permissions. My guess is that it is actually this permission that
is stopping the program; the others are likely harmless.
Moving it to /var/log/httpd generated this error in error.log for httpd:
Log file /var/log/httpd/rt.log couldn't be written or created.
/var/log/messages had this to say:
avc: denied { read } for pid=1516 exe=/usr/bin/perl name=tmp dev=dm-3
ino=12 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:tmp_t tclass=lnk_file
Plus some more denies for { ioctl }.
Here's the contents of /usr/tmp when apache starts:
[root@mothership tmp]# ls -alZ /usr/tmp/
drwxrwxrwt root root system_u:object_r:tmp_t .
drwxr-xr-x root root system_u:object_r:var_t ..
srw------- apache apache root:object_r:httpd_tmp_t
38bb41ae9430107f1ab3add79fbea0aa
drwx------ apache apache root:object_r:httpd_tmp_t dynamic
> Actually, it's just /tmp.
Is your /tmp a symlink elsewhere? Or do you actually have a symlink
in /tmp named "tmp"? Are you *sure* it's really /tmp? Do an
"ls -di /tmp" to see if its inode number is 12. Then do
"ls -di /usr/tmp".
Well, it's not 12.
[root@mothership ~]# ls -di /tmp
2 /tmp
But:
[root@mothership tmp]# ls -di /usr/tmp
12 /usr/tmp
So...I changed the parameter for FastCgiIpDir to /usr/tmp, but there
were still more denials (a new one):
avc: denied { getattr } for pid=2014 exe=/usr/bin/perl path=/var/log
dev=dm-5 ino=129025 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_log_t tclass=dir
A ls -alZ shows that /tmp is a normal directory:
drwxrwxrwt root root system_u:object_r:tmp_t tmp
The same command within /tmp:
[root@mothership tmp]# ls -alZ
drwxrwxrwt root root system_u:object_r:tmp_t .
drwxr-xr-x root root system_u:object_r:root_t ..
-rw-r--r-- root root root:object_r:tmp_t
49822b18a8485fff12354f4fbd601494
-rw-r--r-- root root root:object_r:tmp_t Apache-
Session-49822b18a8485fff12354f4fbd601494.lock
drwxr-xr-x root root root:object_r:tmp_t .cpan
drwx------ apache apache root:object_r:httpd_tmp_t dynamic
drwxr-xr-x root root root:object_r:tmp_t fastcgi
drwxrwxrwx root root root:object_r:tmp_t FileCache
drwxrwxrwt root root user_u:object_r:tmp_t .font-
unix
-rw-r--r-- root root root:object_r:tmp_t html-
scrubber.test.html
-rw-r--r-- root root root:object_r:tmp_t html-
scrubber.test.html.html
drwxrwxrwt root root user_u:object_r:tmp_t .ICE-unix
drwx------ root root lost
+found
You can see the files and directories created by FastCGI when Apache
fires up (when I had the FastCgiIpDir set to /tmp).
Better to use an ACL than mode 777; e.g.
"setfacl -m 'apache:rwx' /var/log/httpd".
I got a "Operation not supported" error:
setfacl: /var/log/httpd: Operation not supported
It only changes the type of the /usr/tmp symlink. My guess is still
that your program has some code (or a library it uses does) that
tries /usr/tmp first, and is getting permission denial on that symlink
because it should be usr_t, not tmp_t.
A good try, but it didn't work. :(
I actually tried turning off the separate log entirely, but I still
received errors:
avc: denied { ioctl } for pid=2305 exe=/usr/bin/perl
path=/var/log/httpd/error_log dev=dm-5 ino=129070
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_log_t tclass=file
Me = stumped.
Thanks for the help.
Regards,
Ranbir
--
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com