apache and setroubleshot policy oddities

[Jean-David Beyer]

On 03/14/2013 10:50 AM, m.roth at 5-cent.us wrote:
> CentOS 6.4 (probably not the current kernel)
> selinux-policy, selinux-policy-targetd 3.7.19-155.el6_3.14
> 
> And we're running SiteMinder from CA (and have *zero* control over that,
> don't get me started)
> 
> unconfined_u:system_r:httpd_t:s0 apache  <...> LLAWP
> /etc/httpd/conf/WebAgent.conf -APACHE22
> apache root unconfined_u:object_r:httpd_log_t:s0 /var/log/httpd/agent.log
> 
> So, why would I get AVCs, and running them through audit2allow gives me:
> #============= httpd_t ==============
> allow httpd_t httpd_log_t:file write;
> 
> Why on earth can't something running as httpd_t write to a logfile of
> httpd_log_t in /var/log/httpd/?
> 
> And then there's this...
> 
> #============= setroubleshootd_t ==============
> allow setroubleshootd_t httpd_sys_script_t:dir read;
> allow setroubleshootd_t httpd_sys_script_t:file getattr;
> 
> Shouldn't setroubleshootd have rights?
> 
>     mark

My comment may be unhelpful because I do not even run apache,
but I do run Red Hat Enterprise Linux Server release 6.4 (Santiago) that
is surely up to date as of yesterday. My kernel is
kernel-2.6.32-358.0.1.el6.x86_64

Although I just received a new one: kernel-2.6.32-358.2.1.el6.x86_64

I run with SELinux enabled in enforcing mode

But what I notice is this:

$ rpm -qa | grep selinux
selinux-policy-targeted-3.7.19-195.el6_4.3.noarch
libselinux-2.0.94-5.3.el6.i686
libselinux-utils-2.0.94-5.3.el6.x86_64
libselinux-python-2.0.94-5.3.el6.x86_64
selinux-policy-3.7.19-195.el6_4.3.noarch
libselinux-2.0.94-5.3.el6.x86_64

I have no selinux-policy-targetd package installed.

And no such file on my machine:


$ locate selinux-policy-targetd
$

Is this a package you had to load to get apache to work? Or are CentOS
6.4 and Red Hat Enterprise Linux 6.4 that different?