httpd avc denied problem

Karsten Wade kwade at redhat.com
Tue Nov 30 21:12:27 UTC 2004 

On Tue, 2004-11-30 at 11:41, Arthur Stephens wrote:
> opps.. I forgot to check /var/log/httpd/error_log
> Before
> (13)Permission denied: httpd: could not open error log file
> /var/www/spokanewines.com/logs/error_log.
> Unable to open logs
> After
> (13)Permission denied: httpd: could not open error log file
> /var/www/tangleheart.com/logs/error_log.

I think I know what is going on

When httpd is starting, it tries to write to the logs, fails on the
first one, issues an error, and quits.  Since you fixed the labeling, it
actually passed spokanewines.com/logs/error_log and went to the next
one, where it errors again.

I'd reckon that it's going through your domains in the order they appear
in httpd.conf.

Try this:

  chcon -R -t httpd_log_t /var/www/*/logs/*
  service httpd start

- Karsten

> Unable to open logs
> 
> Looks like it just switched to another directory....hmmmm
> 
> ----- Original Message ----- 
> From: "Daniel J Walsh" <dwalsh at redhat.com>
> To: "Fedora SELinux support list for users & developers."
> <fedora-selinux-list at redhat.com>
> Sent: Tuesday, November 30, 2004 11:25 AM
> Subject: Re: httpd avc denied problem
> 
> 
> > Arthur Stephens wrote:
> >
> > >----- Original Message ----- 
> > >From: "Karsten Wade" <kwade at redhat.com>
> > >To: "Fedora SELinux support list for users & developers."
> > ><fedora-selinux-list at redhat.com>
> > >Sent: Tuesday, November 30, 2004 5:03 AM
> > >Subject: Re: httpd avc denied problem
> > >
> > >
> > >
> > >
> > >>On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> > >>
> > >>
> > >>>>/var/www/, as defined in
> > >>>>/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
> > >>>>
> > >>>>
> > >>>OK Mine is  located someplace different
> > >>> /etc/selinux/targeted/context/files/file_contexts
> > >>>
> > >>>
> > >>Yeah, it's the same file as the one in the policy sources
> > >>(targeted/src/policy), which comes from the
> > >>selinux-policy-targeted-sources directory.  You shouldn't need that
> > >>unless you have to customize the policy, which doesn't sound necessary
> > >>yet.
> > >>
> > >>
> > >>
> > >>>>/var/www(/.*)?                  system_u:object_r:httpd_sys_content_t
> > >>>>
> > >>>>It looks as if the httpd policy needs the logs to be a different type:
> > >>>>
> > >>>>
> > >>>Mine says the same...
> > >>>But there is a
> > >>>/etc/httpd/logs                        system_u:object_r:httpd_log_t
> > >>>
> > >>>
> > >>And this:
> > >>
> > >>/var/log/httpd(/.*)?            system_u:object_r:httpd_log_t
> > >>
> > >>I suppose either would work, since httpd_t can append to httpd_log_t and
> > >>httpd_runtime_t.  httpd_log_t looks like the proper one to use.
> > >>
> > >>
> > >>
> > >>>But what puzzles me is why only this one log directory....all the
> others
> > >>>like it work...
> > >>>
> > >>>
> > >>This is with httpd_unified set to true?
> > >>
> > >>
> > >
> > >Yes actually mine says "active"
> > >
> > >AIUI, it must be set to true,
> > >
> > >
> > >>if httpd_t can append to httpd_sys_content_t.
> > >>
> > >>For 'ls -Z /var/www' are all the directories essentially the same
> > >>permissions?  I'm not thinking the problem is regular UNIX permissions
> > >>because you got an AVC denial ... something is fishy.
> > >>
> > >>
> > >
> > >ls -Z /var/www
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t aha
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> > >arthurstephens.com
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> > >birdshield.com
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_script_exec_t
> > >cgi-bin
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> charlieh
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> > >cvafoundation.org
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> davidh
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> > >digitalcreations
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t error
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t html
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t icons
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> jjakober
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> kodiaks
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> > >lindarosephoto.com
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> > >lwccspokane.org
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> manual
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> pteraweb
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> ptootie
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> punisher
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> > >spokanewines.com
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> stevefm
> > >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> suetkr
> > >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> > >tangleheart.com
> > >drwxr-xr-x  webalize root     system_u:object_r:httpd_sys_content_t usage
> > >drwxrwxrwx  apache   apache   system_u:object_r:httpd_sys_content_t
> > >wag1designs
> > >
> > >
> > >
> > >>Does it error if you change the type of the log files to httpd_log_t?
> > >>I.e.,
> > >>
> > >>  chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
> > >>
> > >>
> > >
> > >Issued the above command and then service httpd start
> > >
> > >Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc:  denied  {
> > >append } for  pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
> > >ino=552157 scontext=root:system_r:httpd_t
> > >tcontext=system_u:object_r:httpd_sys_content_t tclass=file
> > >Nov 30 13:31:29 webmail httpd: httpd startup failed
> > >
> > >ls -Z /var/www/spokanewines.com/logs
> > >-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log
> > >-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log
> > >
> > >
> >
> > Are you sure this error_log is the one represented by  ino=552157???
> >
> > >
> > >
> > >>Can you send in the avc:  denied errors that you are getting?  I can't
> > >>imagine how this would be a policy bug, but it's worth looking into.
> > >>
> > >>- Karsten
> > >>
> > >>
> > >>>EXAMPLES
> > >>>/var/www/arthurstephens.com/logs
> > >>>[root at webmail arthurstephens.com]# ls -alZ logs/
> > >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> > >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
> > >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> > >>>access_log
> > >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> > >>>error_log
> > >>>
> > >>>/var/www/cvafoundation.org/logs
> > >>>[root at webmail cvafoundation.org]# ls -alZ logs/
> > >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> > >>>drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> > >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> > >>>access_log
> > >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> > >>>error_log
> > >>>
> > >>>But this one fails...
> > >>>/var/www/spokanewines.com/logs
> > >>>[root at webmail spokanewines.com]# ls -alZ logs
> > >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> > >>>drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> > >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> > >>>access_log
> > >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> > >>>error_log
> > >>>
> > >>>
> > >>-- 
> > >>Karsten Wade, RHCE, Tech Writer
> > >>a lemon is just a melon in disguise
> > >>http://people.redhat.com/kwade/
> > >>gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41
> > >>
> > >>--
> > >>fedora-selinux-list mailing list
> > >>fedora-selinux-list at redhat.com
> > >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > >>
> > >>
> > >
> > >--
> > >fedora-selinux-list mailing list
> > >fedora-selinux-list at redhat.com
> > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > >
> > >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41

More information about the fedora-selinux-list mailing list