Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452353 - SELinux is preventing logrotate (logrotate_t) "read" to ./glpi (httpd_sys_content_t).
Summary: SELinux is preventing logrotate (logrotate_t) "read" to ./glpi (httpd_sys_con...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: glpi
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Remi Collet
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-21 09:11 UTC by Stephanos Manos
Modified: 2008-09-13 14:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-09-13 14:12:49 UTC


Attachments (Terms of Use)

Description Stephanos Manos 2008-06-21 09:11:25 UTC
Summary:

SELinux is preventing logrotate (logrotate_t) "read" to ./glpi
(httpd_sys_content_t).

Detailed Description:

SELinux denied access requested by logrotate. It is not expected that this
access is required by logrotate and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./glpi,

restorecon -v './glpi'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logrotate_t
Target Context                system_u:object_r:httpd_sys_content_t
Target Objects                ./glpi [ dir ]
Source                        logrotate
Source Path                   /usr/sbin/logrotate
Port                          <Unknown>
Host                          viper.myhome-net.net
Source RPM Packages           logrotate-3.7.6-2.2.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-109.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     viper.myhome-net.net
Platform                      Linux viper.myhome-net.net 2.6.25.6-27.fc8 #1 SMP
                              Fri Jun 13 16:38:52 EDT 2008 i686 i686
Alert Count                   1
First Seen                    Sat 21 Jun 2008 03:43:34 AM EEST
Last Seen                     Sat 21 Jun 2008 03:43:34 AM EEST
Local ID                      bc8e66bb-959b-4227-a759-7b61170cc451
Line Numbers                  

Raw Audit Messages            

host=viper.myhome-net.net type=AVC msg=audit(1214009014.387:294): avc:  denied 
{ read } for  pid=20471 comm="logrotate" name="glpi" dev=dm-0 ino=13336719
scontext=system_u:system_r:logrotate_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

host=viper.myhome-net.net type=SYSCALL msg=audit(1214009014.387:294):
arch=40000003 syscall=5 success=no exit=-13 a0=bfcda700 a1=98800 a2=11 a3=0
items=0 ppid=20469 pid=20471 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="logrotate"
exe="/usr/sbin/logrotate" subj=system_u:system_r:logrotate_t:s0 key=(null)

Comment 1 Daniel Walsh 2008-06-22 10:20:37 UTC
Remi, 

Comment 2 Daniel Walsh 2008-06-22 10:25:28 UTC
Remi, 

You are setting the file context of the log file to 

httpd_sys_script_rw_t?  Do you need http to be able to write to this directory?
 It should be labeled httpd_log_t, this would allow other apps like logrotate to
work on it.  If 

Similarly /var/lib/glpi might be better off labeled httpd_var_lib_t

Comment 3 Remi Collet 2008-06-22 15:48:14 UTC
Yes http must be able to write to this directory because GLPI can create various
log file, some are known (php-error, sql-error) but other come from plugin.

I need some investigation on this issue.



Comment 4 Fedora Update System 2008-07-12 09:24:41 UTC
glpi-0.71-1.fc8 has been submitted as an update for Fedora 8

Comment 5 Fedora Update System 2008-07-15 12:15:55 UTC
glpi-0.71-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update glpi'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-6317

Comment 6 Remi Collet 2008-09-13 14:12:49 UTC
Switch to httpd_log_t is ok, except for installation script.

This is reported/fixed upstream.

All should be fine in 0.71.1-1


Note You need to log in before you can comment on or make changes to this bug.