installation: /usr/share/log Not writable

If you figure out how to do something interesting/cool in Cacti and want to share it with the community, please post your experience here.

Moderators: Developers, Moderators

Post Reply
lgcmorris
Posts: 8
Joined: Tue May 24, 2022 3:39 am

installation: /usr/share/log Not writable

Post by lgcmorris »

---------Setup----------
Cent OS 8 Stream
Cacti 1.2.20-1.el8

I can confirmed that its SElinux issue because it was fixed when i turn off SE temporary to permissive mode. But I would like to have SEllinux in-placed for security reason. I'm new to SElinux, how do I configure it to have the correct permission?


Here I share the SE context
root@localhost cacti.admin]# ls -Z /usr/share/cacti/ | grep log
system_u:object_r:usr_t:s0 auth_login.php
system_u:object_r:usr_t:s0 clog.php
system_u:object_r:usr_t:s0 clog_user.php
system_u:object_r:usr_t:s0 log
system_u:object_r:usr_t:s0 logout.php

[root@localhost cacti.admin]# matchpathcon -V /usr/share/cacti/log/
/usr/share/cacti/log verified.

UID for the PS
cacti.a+ 43330 2349 21 14:40 tty2 00:00:08 /usr/lib64/firefox/firefox
cacti.a+ 43547 43330 1 14:40 tty2 00:00:00 /usr/lib64/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 7
cacti.a+ 43575 43330 1 14:40 tty2 00:00:00 /usr/lib64/firefox/firefox -contentproc -childID 3 -isForBrowser -prefsLen 5
cacti.a+ 43694 43330 4 14:40 tty2 00:00:01 /usr/lib64/firefox/firefox -contentproc -childID 4 -isForBrowser -prefsLen 6
cacti.a+ 43736 43330 0 14:40 tty2 00:00:00 /usr/lib64/firefox/firefox -contentproc -childID 5 -isForBrowser -prefsLen 6
Attachments
cacti not writable.JPG
cacti not writable.JPG (110.57 KiB) Viewed 6157 times
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Re: installation: /usr/share/log Not writable

Post by TheWitness »

Just read the messages going into /var/log/messages. There is a utility called audit2allow that you literally simply have to follow your nose via it's use. Basically, you put SELinux in Permissive mode, watch the log and create a series of policies that cover activities in Cacti that are permissible, and then when you think you've got them all, you can goto Restrictive. Others over the years have created policy files, but they are all path dependent, and Debian and variants do things differently than say RHEL and variants. There are even differences between using Apache and NGinx. Good luck.
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
lgcmorris
Posts: 8
Joined: Tue May 24, 2022 3:39 am

Re: installation: /usr/share/log Not writable

Post by lgcmorris »

Output from the command. UID: is apache

[root@sgmkbccti01p cactiadmin]# ausearch -m AVC,USER_AVC -ts recent
----
time->Thu May 26 14:02:41 2022
type=PROCTITLE msg=audit(1653544961.302:243): proctitle=7068702D66706D3A20706F6F6C20777777
type=SYSCALL msg=audit(1653544961.302:243): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffc02a5b320 a2=241 a3=1b6 items=0 ppid=3597 pid=3607 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1653544961.302:243): avc: denied { write } for pid=3607 comm="php-fpm" path="/var/log/cacti/769162589628f18014a0dc.tmp" dev="dm-0" ino=27280838 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=0

Now can confirmed its denied write but I don't know what's the correct context for this. Need help.
lgcmorris
Posts: 8
Joined: Tue May 24, 2022 3:39 am

Re: installation: /usr/share/log Not writable

Post by lgcmorris »

I followed this and it worked.

type=AVC msg=audit(1653544968.525:248): avc: denied { write } for pid=3605 comm="php-fpm" path="/var/log/cacti/647359037628f18088066d.tmp" dev="dm-0" ino=26643319 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.


[root@sgmkbccti01p cactiadmin]# sealert -l 324854ce-98bb-45f4-ba3f-321879feef95
SELinux is preventing /usr/sbin/php-fpm from write access on the file /var/log/cacti/647359037628f18088066d.tmp.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that php-fpm should be allowed write access on the 647359037628f18088066d.tmp file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -i my-phpfpm.pp


root@sgmkbccti01p cactiadmin]# audit2allow -a
#============= httpd_t ==============
allow httpd_t configfs_t:dir getattr;
allow httpd_t httpd_log_t:dir remove_name;

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_log_t:file write; #This allowed the file type httpd_log_t to write
User avatar
TheWitness
Developer
Posts: 17047
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

Re: installation: /usr/share/log Not writable

Post by TheWitness »

Glad you figured it out. If we were not such a fledgling group, we would publish a rule set for SELinux for the various installs and OS variations, but sadly, not enough time. It's mostly a hobby for some of us, and for others, something we do at work and get worn out on if we spend too many hours at it.
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of dozens of Cacti plugins and customization's. Advocate of LAMP, MariaDB, IBM Spectrum LSF and the world of batch. Creator of IBM Spectrum RTM, author of quite a bit of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Percona Device Packages (no support)
Interesting Device Packages


For those wondering, I'm still here, but lost in the shadows. Yearning for less bugs. Who want's a Cacti 1.3/2.0? Streams anyone?
wileecoyote
Posts: 1
Joined: Mon Nov 18, 2024 2:52 pm

Re: installation: /usr/share/log Not writable

Post by wileecoyote »

I fixed this permissions issue with the following commands;

semanage fcontext -m -f a -t httpd_sys_rw_content_t -r 's0' '/var/log/cacti(/.*)?'
restorecon -R -v /var/log/cacti/
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest