SELinux RT/syslog problem

Is anyone running RT on a box with SELinux (ES4 in my case)?
Everything’s been going peachy until for some reason yesterday
things got mucked up on /dev/log and now apache/RT cannot log
to syslog, which means several functions like merging are currently
inaccessible. Anybody happen to know what the proper context is
for that file? It’s currently: system_u:object_r:devlog_t and the
errors I’m getting are:

#Pre- restorecon
Nov 9 19:30:25 rt kernel: audit(1226277025.460:207): avc: denied {
write } for pid=6378 comm=“httpd.worker” name=“log” dev=tmpfs
ino=32795 scontext=user_u:system_r:httpd_t
tcontext=root:object_r:device_t tclass=sock_file

#Post- restorecon
Nov 9 20:23:25 rt kernel: audit(1226280205.215:999): avc: denied {
sendto } for pid=6873 comm=“httpd.worker” name="log"
scontext=user_u:system_r:httpd_t tcontext=root:system_r:unconfined_t
tclass=unix_dgram_socket

I’ve found a few pages online with hints on how I might be able to fix
this, but none use chcon and instead require modifying system policies
to add:

allow httpd_t device_t:sock_file write;
allow httpd_t unconfined_t:unix_dgram_socket sendto;

Which I cannot do as the necessary tools are not installed
(and the package manager is currently out of commission).
Cambridge Energy Alliance: Save money. Save the planet.

Hi Jerrad,

Not all programs are SELinux-aware and so can muck things up a bit
sometimes. When this happens, the best thing to do is to relabel the
filesystem. To do this, execute the following commands:

   touch /.autorelabel
   reboot

I’ll look into that.

Keep in mind that the reboot may take a while.

If you want to see which files have an incorrect label (according to the
SELinux’ policy), you can run this command:

   restorecon -n -R -v /

Already did that on both the problem file (/dev/log) and recursed the fs
(there are a lot of unlabeled files).

For now, I’ve somewhat side-stepped the issue and am logging to a file.
Not wonderful though, especially since Log::Dispatch doesn’t seem to
have support for ‘none’ so if RT emits and emergency message, it won’t
get through to syslog…

Cambridge Energy Alliance: Save money. Save the planet.

Sorry, resending this to the list… Sent it from the wrong email
address so the original didn’t post to the list.Begin forwarded message:

From: Thomas Smith <>
Date: November 10, 2008 9:59:35 AM MST
To: Jerrad Pierce jpierce@cambridgeenergyalliance.org
Cc: rt Users rt-users@lists.bestpractical.com
Subject: Re: [rt-users] SELinux RT/syslog problem

Hi Jerrad,

Not all programs are SELinux-aware and so can muck things up a bit
sometimes. When this happens, the best thing to do is to relabel
the filesystem. To do this, execute the following commands:

touch /.autorelabel
reboot

Keep in mind that the reboot may take a while.

If you want to see which files have an incorrect label (according
to the SELinux’ policy), you can run this command:

restorecon -n -R -v /

The switches have the following meanings:

-n - Don’t change any file labels. Allows you to see what will be
changed before committing to it (if you use the -v switch)–remove
the switch to relabel the affected files.
-R - Recursive.
-v - Tells “restorecon” to show which files/directories would be
changed and to what context. If you leave this switch out,
restorecon will exit silently.

It’s usually wise to relabel the filesystem when installing any
software that didn’t come with your distribution. This will prevent
problems like these from going unnoticed for too long.

~ Tom

On Nov 10, 2008, at 8:28 AM, Jerrad Pierce wrote:

Is anyone running RT on a box with SELinux (ES4 in my case)?
Everything’s been going peachy until for some reason yesterday
things got mucked up on /dev/log and now apache/RT cannot log
to syslog, which means several functions like merging are currently
inaccessible. Anybody happen to know what the proper context is
for that file? It’s currently: system_u:object_r:devlog_t and the
errors I’m getting are:

#Pre- restorecon
Nov 9 19:30:25 rt kernel: audit(1226277025.460:207): avc: denied {
write } for pid=6378 comm=“httpd.worker” name=“log” dev=tmpfs
ino=32795 scontext=user_u:system_r:httpd_t
tcontext=root:object_r:device_t tclass=sock_file

#Post- restorecon
Nov 9 20:23:25 rt kernel: audit(1226280205.215:999): avc: denied {
sendto } for pid=6873 comm=“httpd.worker” name="log"
scontext=user_u:system_r:httpd_t tcontext=root:system_r:unconfined_t
tclass=unix_dgram_socket

I’ve found a few pages online with hints on how I might be able to
fix
this, but none use chcon and instead require modifying system
policies
to add:

allow httpd_t device_t:sock_file write;
allow httpd_t unconfined_t:unix_dgram_socket sendto;

Which I cannot do as the necessary tools are not installed
(and the package manager is currently out of commission).

Cambridge Energy Alliance: Save money. Save the planet.


http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users

Community help: http://wiki.bestpractical.com
Commercial support: sales@bestpractical.com

Discover RT’s hidden secrets with RT Essentials from O’Reilly Media.
Buy a copy at http://rtbook.bestpractical.com