[CentOS] selinux...

Wed Oct 7 17:59:50 UTC 2009
Meenoo Shivdasani <meenoo at gmail.com>

> Then we can go to:
> <...> avc:  denied  { write } for  pid=5898 comm="LLAWP"
> path="/var/log/httpd/smagent.log" dev=sda3 ino=<whatever>
> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:httpd_log_t:s0
> tclass=file

When selinux is configured for permissive mode, the action is
permitted, but selinux still logs a denial message -- if the mode is
set to "enforcing" then the action itself would be denied and a denial
message would be logged.  Permissive mode shows you what things would
be denied, but doesn't actually deny them.

Basically, what's happening with your siteminder app is that the
selinux policy doesn't permit the source executable context to write
to the smagent.log file due to the file's context.

Check out http://www.linuxforums.org/articles/accomodating-avc-denied-messages-selinux_355.html

This explains how to decipher the denial message and how to use
audit2allow to specifically permit your application to write to the
appropriate log file.

HTH,

M