Using cronolog with httpd and selinux

Problem

By default cronolog (cronolog-1.6.2-1) will not work under selinux. You'll see audit errors in /var/log/messages that say :

kernel: audit(1142674513.482:5): avc: denied { create } for pid=5135 comm="cronolog" name="2006" scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t tclass=dir

and

kernel: audit(1142723548.453:3): avc: denied { create } for pid=3164 comm="cronolog" name="access.log" scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:httpd_log_t tclass=lnk_file

This is cronolog trying to create a new year folder and a new symbolic link to your most current access log. These two functions are done when cronolog is given the --symlink paramter and told to order rolled over logs in year by year folders. Here's more about cronolog usage.

Solution

This solution is for Red Hat Enterprise Linux 4 (RHEL4) though it should apply for other selinux enabled OS's.
First make sure that the directory that the logs are being written to, or more specifically the directory in which cronolog is trying to create a symbolic link or a year directory, also known to selinux as the target directory, has a target security context of "httpd_log_t". You can verify this by doing a :

ls -aZ /your/log/dir

and confirming that the security context is correct. You should see something like this :

drwxr-xr-x root root root:object_r:httpd_log_t .
drwx------ root root system_u:object_r:httpd_log_t ..
drwxr-xr-x root root root:object_r:httpd_log_t 2003
drwxr-xr-x root root root:object_r:httpd_log_t 2004
drwxr-xr-x root root root:object_r:httpd_log_t 2005
drwxr-xr-x root root root:object_r:httpd_log_t 2006

If the security context is not correct, use the "chcon" command to set it.

Once you've confirmed that the target directory has a security context of httpd_log_t, all you have to do is create a custom policy.

You can read about how to do this here. Here are the steps

  • Install the selinux-policy-targeted-sources rpm

    up2date -i selinux-policy-targeted-sources

  • Stop apache

    service httpd stop

  • Create a new local custom security policy (Here I'm using nano, you can use whatever editor you want vi/emacs/etc)

    nano /etc/selinux/targeted/src/policy/domains/misc/local.te

  • Add in the following text to local.te

    allow httpd_t httpd_log_t:dir create;
    allow httpd_t httpd_log_t:lnk_file create;

  • Save the file
  • Compile the new policy

    cd /etc/selinux/targeted/src/policy
    make load

  • Start apache

    service httpd start

At this point check your /var/log/messages and your log directory and you should see no more selinux audit messages and that cronolog has created it's directories and symbolic links.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
  1. Oct 19, 2010

    Anonymous says:

    Thanks for the tip. Here's an update for RedHat 5.x and friends that worked for...

    Thanks for the tip. Here's an update for RedHat 5.x and friends that worked for me:

    1) Make sure the SELinux Policy development package is installed:

    2) Follow these instructions ( http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html) to create a local.te file with this content

    3) Build your new policy:

    4) Install it:

    5) Restart apache