CentOS - Jun 2015 - selinux allow apache log access

Hey guys,.

 I have a centos 7 machine I'm using as a zabbix server. And I noticed that
apache won't start, with this complaint in the error log:

(13)Permission denied: AH00091: httpd: could not open error log file
/var/log/zabbix_error_log.
AH00015: Unable to open logs


I tried having a look at audit2allow and this is the response I get back:

[root at monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow


#============= httpd_t =============allow httpd_t zabbix_log_t:file open;

How can I turn that bit of information into a rule that allows apache
access to this zabbix log file?

I notice that if I disable selinux using setenfor 0, apache starts up
without complaint. But I would rather not leave it disabled.

Thanks,
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

Try something like:

grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix
semodule -i zabbix.pp

On 16/06/15 15:58, Tim Dunphy wrote:
> Hey guys,.
>
>   I have a centos 7 machine I'm using as a zabbix server. And I noticed
that
> apache won't start, with this complaint in the error log:
>
> (13)Permission denied: AH00091: httpd: could not open error log file
> /var/log/zabbix_error_log.
> AH00015: Unable to open logs
>
>
> I tried having a look at audit2allow and this is the response I get back:
>
> [root at monitor2:/etc/httpd] #grep http /var/log/audit/audit.log |
audit2allow
>
>
> #============= httpd_t =============> allow httpd_t zabbix_log_t:file
open;
>
> How can I turn that bit of information into a rule that allows apache
> access to this zabbix log file?
>
> I notice that if I disable selinux using setenfor 0, apache starts up
> without complaint. But I would rather not leave it disabled.
>
> Thanks,
> Tim
>

-- 
regards

Harold Toms
http://iodine.chem.qmul.ac.uk
"Priestley's works... tended to unsettle every thing, and yet settled 
nothing."
- Samuel Johnson.

>
> Try something like:
> grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix
> semodule -i zabbix.pp


Thanks for your response! However this is what happens when I try to
install the module:

 [root at monitor2:~] #semodule -i zabbix.pp
libsepol.print_missing_requirements: zabbix's global requirements were not
met: type/attribute zabbix_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or
directory).
semodule:  Failed!


Any other thoughts?

Thanks,
Tim

On Wed, Jun 17, 2015 at 5:32 AM, Harold Toms <h.toms at qmul.ac.uk> wrote:
> Try something like:
>
> grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix
> semodule -i zabbix.pp
>
>
> On 16/06/15 15:58, Tim Dunphy wrote:
>
>> Hey guys,.
>>
>>   I have a centos 7 machine I'm using as a zabbix server. And I
noticed
>> that
>> apache won't start, with this complaint in the error log:
>>
>> (13)Permission denied: AH00091: httpd: could not open error log file
>> /var/log/zabbix_error_log.
>> AH00015: Unable to open logs
>>
>>
>> I tried having a look at audit2allow and this is the response I get
back:
>>
>> [root at monitor2:/etc/httpd] #grep http /var/log/audit/audit.log |
>> audit2allow
>>
>>
>> #============= httpd_t =============>> allow httpd_t
zabbix_log_t:file open;
>>
>> How can I turn that bit of information into a rule that allows apache
>> access to this zabbix log file?
>>
>> I notice that if I disable selinux using setenfor 0, apache starts up
>> without complaint. But I would rather not leave it disabled.
>>
>> Thanks,
>> Tim
>>
>>
>
> --
> regards
>
> Harold Toms
> http://iodine.chem.qmul.ac.uk
> "Priestley's works... tended to unsettle every thing, and yet
settled
> nothing."
> - Samuel Johnson.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B