selinux and smagent
Dominick Grift
domg472 at gmail.com
Thu Jan 7 17:16:24 UTC 2010
On 01/07/2010 04:45 PM, m.roth at 5-cent.us wrote:
> I never did solve this, and I'm looking at it again. Selinux still gripes
> (it's in permissive mode, or this would be more of a problem).
> httpd_unified is on, which is what the *wrong* error message from selinux
> tells me will fix this.
>
> Given the info below, *should* I chcon (or semanage)
> /var/log/httpd/smagent.log to the same type as the httpd error.log? Will
> that make selinux happy?
>
> mark, not happy with selinux
>
>
> host=biblio type=AVC msg=audit(1262787360.769:5531): avc: denied { write
> } for pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3
> ino=46107941 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
>
Apache can not and will not write to its log files. The log file should
be open for append only. This is so that a compromized web server can
not wipe its audit trail.
You should consider this to be a bug in smagent.
If you want to just allow it any way (discouraged) than you can do the
following:
echo "avc: denied { write } for pid=1654 comm="LLAWP"
path="/var/log/httpd/smagent.log" dev=sda3 ino=46107941
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file" | audit2allow -M
myfaultysmagent; sudo semodule -i myfaultysmagent.pp
Hth
> ll -Z /var/log/httpd/smagent.log
> -rw-r--r-- apache root user_u:object_r:httpd_log_t
> /var/log/httpd/smagent.log
>
> ll -Z /usr/local/opt/<blah>/webagent/bin/LLAWP
> -rwxrwxr-x root root system_u:object_r:bin_t
> /usr/local/opt/<blah>/webagent/bin/LLAWP
>
> ll -Z /var/log/httpd/error_log
> -rw-r--r-- root root system_u:object_r:httpd_log_t
> /var/log/httpd/error_log
>
> ll -Z /usr/sbin/httpd
> -rwxr-xr-x root root system_u:object_r:httpd_exec_t /usr/sbin/httpd
>
>
>
>
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100107/5b5131db/attachment.bin
More information about the selinux
mailing list