selinux and smagent

Dominick Grift domg472 at gmail.com
Thu Jan 7 17:16:24 UTC 2010 

On 01/07/2010 04:45 PM, m.roth at 5-cent.us wrote:
> I never did solve this, and I'm looking at it again. Selinux still gripes
> (it's in permissive mode, or this would be more of a problem).
> httpd_unified is on, which is what the *wrong* error message from selinux
> tells me will fix this.
> 
> Given the info below, *should* I chcon (or semanage)
> /var/log/httpd/smagent.log to the same type as the httpd error.log? Will
> that make selinux happy?
> 
>        mark, not happy with selinux
> 
> 
> host=biblio type=AVC msg=audit(1262787360.769:5531): avc:  denied  { write
> } for  pid=1654 comm="LLAWP" path="/var/log/httpd/smagent.log" dev=sda3
> ino=46107941 scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
> 

Apache can not and will not write to its log files. The log file should
be open for append only. This is so that a compromized web server can
not wipe its audit trail.

You should consider this to be a bug in smagent.

If you want to just allow it any way (discouraged) than you can do the
following:

echo "avc:  denied  { write } for  pid=1654 comm="LLAWP"
path="/var/log/httpd/smagent.log" dev=sda3 ino=46107941
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_log_t:s0 tclass=file" | audit2allow -M
myfaultysmagent; sudo semodule -i myfaultysmagent.pp

Hth

> ll -Z /var/log/httpd/smagent.log
> -rw-r--r--  apache root user_u:object_r:httpd_log_t
> /var/log/httpd/smagent.log
> 
> ll -Z /usr/local/opt/<blah>/webagent/bin/LLAWP
> -rwxrwxr-x  root root system_u:object_r:bin_t
> /usr/local/opt/<blah>/webagent/bin/LLAWP
> 
> ll -Z /var/log/httpd/error_log
> -rw-r--r--  root root system_u:object_r:httpd_log_t
> /var/log/httpd/error_log
> 
> ll -Z /usr/sbin/httpd
> -rwxr-xr-x  root root system_u:object_r:httpd_exec_t   /usr/sbin/httpd
> 
> 
> 
> 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100107/5b5131db/attachment.bin

More information about the selinux mailing list