selinux bugzilla?

Dominick Grift domg472 at gmail.com
Thu Jun 24 20:28:28 UTC 2010 

On 06/24/2010 10:17 PM, m.roth at 5-cent.us wrote:
> I'm tired of this. I think it's time for me to file a bug report.
> 
> I have the current version of CA's Siteminder installed. I have the
> current version of CentOS (5.5). I'm still getting selinux complaining
> that siteminder can't write to its own logfiles.
> ll -Z /var/log/httpd/smagent.log
> -rw-r--r--  apache root system_u:object_r:httpd_log_t   
> /var/log/httpd/smagent.log
> ll -Z /usr/local/opt/smwa-6qmr5-cr035-rhel30-x86-64/webagent/bin/LLAWP
> -rwxrwxr-x  root root system_u:object_r:bin_t         
> /usr/local/opt/smwa-6qmr5-cr035-rhel30-x86-64/webagent/bin/LLAWP*
> 
> I run sealert, and it tells me that I can allow this behavior by setting
> httpd_unified on. It says that httpd_unified is off.

It is a bug in setroubleshoot if anything.

https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora

From the list of components choose "setroubleshoot".

The problem is:

1. setroubleshoot give the wrong advice.

2. Siteminder is not allowed to write to its log files because it runs
with httpd's selinux permissions and httpd is not allowed to write to
its log files. httpd does not need to be able to write to its log files.
I only appends to its log files instead.

3. Siteminder should open its log file to append instead of write.

In short:

Siteminder has a "bug": it opens its log file for write instead of append.

Setroubleshoot suggest a wrong fix; there is no predefined fix for this
issue


Quick & dirty fix:

mkdir ~/myhttpd; cd ~/myhttp;
echo "policy_module(myhttpd, 1.0.0)" > myhttpd.te;
echo "require { type httpd_t, httpd_log_t; }" >> myhttpd.te;
echo "allow httpd_t httpd_log_t:file write;" >> myhttpd.te;

make -f /usr/share/selinux/devel/Makefile myhttpd.pp
sudo semodule -i myhttpd.pp




> 
> It's on. It's been on. Therefore, selinux's error handling has a bug, and
> is falling through to an incorrect diagnosis.
> 
> So, can someone give me the link to selinux's bugzilla?
> 
>       mark
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100624/961610f1/attachment.bin

More information about the selinux mailing list