[Bug 1281886] New: selinux causes RT to prevent httpd from starting
bugzilla at redhat.com
bugzilla at redhat.com
Fri Nov 13 17:23:25 UTC 2015
https://bugzilla.redhat.com/show_bug.cgi?id=1281886
Bug ID: 1281886
Summary: selinux causes RT to prevent httpd from starting
Product: Fedora
Version: 22
Component: rt
Assignee: rc040203 at freenet.de
Reporter: tibbs at math.uh.edu
QA Contact: extras-qa at fedoraproject.org
CC: perl-devel at lists.fedoraproject.org,
rc040203 at freenet.de, tibbs at math.uh.edu
This is really just a heads up, and should probably be reassigned to
selinux-policy, but I wanted to run it by you to make sure it's not an RT issue
first.
Basically, httpd updated last night, which means it restarted. Unfortunately
this failed:
Nov 13 09:57:43 rt2.math.uh.edu httpd[23688]: AH00526: Syntax error on line 29
of /etc/httpd/conf.d/virt-rt.conf:
Nov 13 09:57:43 rt2.math.uh.edu httpd[23688]: Cannot write to
'/var/log/rt/rt.log': Permission denied at
/usr/share/perl5/vendor_perl/Log/Dispatch/File.pm line 107.\n
Line 29 is the Plack setup, which fails; there's nothing actually wrong with
the syntax of the apache configuration file.
<Perl>
use Plack::Handler::Apache2;
Plack::Handler::Apache2->preload("/usr/sbin/rt-server");
</Perl>
And it can't read /var/log/rt.log because of:
time->Fri Nov 13 03:33:30 2015
type=AVC msg=audit(1447407210.438:3285): avc: denied { open } for pid=12191
comm="/usr/sbin/rt-se" path="/var/log/rt/rt.log" dev="dm-1" ino=393970
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_log_t:s0
tclass=file permissive=0
setenforce 0 fixes it, of course, and after that there are no additional AVCs.
My guess is that this broke with a selinux policy update (the last one was
selinux-policy-targeted-3.13.1-128.18.fc22.noarch on October 29th) but nothing
actually failed until httpd restarted last night.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the perl-devel
mailing list