www
ClosedPublic
Actions

Authored by dereckson on Fri, Sep 12, 18:41.

Details

Reviewers

Commits

rOPSe88093555752: Apply SELinux context type recursively to /var/log/www

Summary

When restarting nginx on Dwellers, SELinux raised a permission denied
for /var/log/www/error.log. That file had the var_log_t context.

This was particulary a defect as roles/webserver-core/nginx/config
was applied immediately before the restart to prune OCSP config
and should have ensured the context of logs was correct:
selinux.fcontext_policy_applied isn't recursive by default.

Test Plan

Deployed on Dwellers

Diff Detail

Repository

rOPS Nasqueron Operations

Lint

Lint Passed

Unit

No Test Coverage

Branch

var-log-www-selinux

Build Status

Buildable 5872
Build 6154: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Fri, Sep 12, 18:41

dereckson created this revision.

Harbormaster completed remote builds in B5872: Diff 9492.Fri, Sep 12, 18:41

When applying policy to /var/log/www, everything becomes var_log_t:

/var/log/www/vault/vault-notifications-error.log:
    ----------
    new:
        ----------
        sel_type:
            var_log_t
    old:
        ----------
        sel_type:
            httpd_log_t

Better, journalctl contains:

Sep 12 18:43:33 dwellers.nasqueron.org salt-minion[3641871]: Running semanage fcontext -l | grep -E '^/var/log/www[ ]+all files[ ]+[^:]+:[^:]+:httpd_log_t:[^:]+[ |        ]*$'

If I run it:

$ semanage fcontext -l | grep -E '^/var/log/www[ ]+all files[ ]+[^:]+:[^:]+:httpd_log_t:[^:]+[ |        ]*$'
/var/log/www                                       all files          system_u:object_r:httpd_log_t:s0