Selinux Allow Apache Log Access

Home » CentOS » Selinux Allow Apache Log Access
CentOS 11 Comments

Hey guys,.

I have a CentOS 7 machine I’m using as a zabbix server. And I noticed that apache won’t start, with this complaint in the error log:

(13)Permission denied: AH00091: httpd: could not open error log file
/var/log/zabbix_error_log. AH00015: Unable to open logs

I tried having a look at audit2allow and this is the response I get back:

[root@monitor2:/etc/httpd] #grep http /var/log/audit/audit.log | audit2allow

#============= httpd_t =============allow httpd_t zabbix_log_t:file open;

How can I turn that bit of information into a rule that allows apache access to this zabbix log file?

I notice that if I disable selinux using setenfor 0, apache starts up without complaint. But I would rather not leave it disabled.

Thanks, Tim

11 thoughts on - Selinux Allow Apache Log Access

  • Try something like:

    grep zabbix /var/log/audit/audit.log | audit2allow -M zabbix semodule -i zabbix.pp

  • Thanks for your response! However this is what happens when I try to install the module:

    [root@monitor2:~] #semodule -i zabbix.pp libsepol.print_missing_requirements: zabbix’s global requirements were not met: type/attribute zabbix_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed!

    Any other thoughts?

    Thanks, Tim

  • That’s because there’s already a zabbix module loaded (the message isn’t very informative!). I forgot that the received wisdom is to insert “my”
    in front of ones own modules i.e.:

    grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix semodule -i myzabbix.pp

  • Hmm no luck there either:

    [root@monitor2:~] #semodule -i myzabbix.pp
    *semodule: Failed on myzabbix.pp!*

    I also tried:

    [root@monitor2:~] #semodule -i my_zabbix semodule: Failed on my_zabbix!

    And

    [root@monitor2:~] #semodule -i my-zabbix semodule: Failed on my-zabbix!

    Just in case.. none of that worked.

    Got any other ideas? :)

    Tim

  • Same deal. :(

    #semodule -i myzabbix.te semodule: Failed on myzabbix.te!

    sigh… but thanks any other clues?

  • Sorry, I didn’t put that very clearly. Could you show us the contents of myzabbix.te.

  • No prob! Thanks for all the help! But in searching my system I don’t find anything of the sort.

    [root@monitor2:~] #updatedb
    [root@monitor2:~] #locate myzabbix.te
    [root@monitor2:~] #find / -name “myzabbix.*”

    I also did search using ‘yum provides’ to find something similar. But wasn’t’ able to find anything.

    yum provides “*/myzabbix.*”
    … No matches found

    Maybe I’ll need to install a package?

    Thanks, Tim

  • What we’re asking for is the contents of the .te file that is created when you run audit2allow.

  • Go back to the original email and do what you were told

    # grep zabbix /var/log/audit/audit.log | audit2allow -M myzabbix
    # semodule -i myzabbix.pp

    You did audit2allow -M zabbix

    Which created zabbix.te and zabbix.pp, which is bad. It will attempt to replace the system module.

    If you use myzappix, it will add the allow rules.

  • Hey guys,

    Thanks! That worked.

    [root@monitor2:~] #grep zabbix /var/log/audit/audit.log | audit2allow -M
    myzabbix
    ******************** IMPORTANT ***********************
    To make this policy package active, execute:

    semodule -i myzabbix.pp

    [root@monitor2:~] #semodule -i myzabbix.pp
    [root@monitor2:~] #lsof -i :80
    [root@monitor2:~] #systemctl start httpd
    [root@monitor2:~] #lsof -i :80
    COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
    httpd 18664 root 4u IPv6 12477027 0t0 TCP *:http (LISTEN)
    httpd 18665 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN)
    httpd 18666 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN)
    httpd 18667 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN)
    httpd 18668 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN)
    httpd 18669 apache 4u IPv6 12477027 0t0 TCP *:http (LISTEN)
    [root@monitor2:~] #getenforce Enforcing

    Definitely appreciate the help and sorry if there was any confusion on my part. All set at this point!

    Best, Tim