httpd avc denied problem

Arthur Stephens astephens at ptera.net
Thu Dec 2 20:04:28 UTC 2004 

Ok that solved that problem but showed up another one.
I have a folder under /var/log/httpd
called /mail
which I put logs messages that come from Squirrel mail
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'

I look at the /var/log/httpd directory and I do see this folder I created is
labeled differently
[root at webmail ~]# ls -Z /var/log/httpd/
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log.1
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log.1
drwxr-xr-x  root     root    system_u:object_r:httpd_log_t        mail
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_access_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    ssl_error_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_error_log.1
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_request_log

And here is what I have in my custom.fc
/var/www/.*/logs(/.*)?            system_u:object_r:httpd_log_t
/var/log/httpd/mail(/.*)?               system_u:object_r:httpd_log_t
/var/log/httpd/mail                     system_u:object_r:httpd_log_t

[root at webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r--  root     root     root:object_r:httpd_runtime_t    error_log

After running fixfile relabel
[root at webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log

service httpd start
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'

So I am write in thinking at this point the problem is no longer with
selinux?

Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens at ptera.net
509-927-Ptera

----- Original Message ----- 
From: "Daniel J Walsh" <dwalsh at redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list at redhat.com>
Sent: Thursday, December 02, 2004 10:46 AM
Subject: Re: httpd avc denied problem


> Arthur Stephens wrote:
>
> >I installed the policy sources on my fedora core 3. :)
> >Got to step one
> >Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
> >
> >There is no such file  :(
> >[root at webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
> >distros.fc  misc  program  types.fc
> >[root at webmail ~]#
> >
> >
> Ok create a file in the misc directory called custom.fc, file_context
> file is only created via the make file.
>
> echo "/var/www/.*/logs(/.*)?            system_u:object_r:httpd_log_t" >>
misc/customer.fc
> Then rebuild policy
>
> make load
> Now restorecon
>
>
>
> >Arthur Stephens
> >Sales Technician
> >Ptera Wireless Internet
> >astephens at ptera.net
> >509-927-Ptera
> >
> >----- Original Message ----- 
> >From: "Karsten Wade" <kwade at redhat.com>
> >To: "Fedora SELinux support list for users & developers."
> ><fedora-selinux-list at redhat.com>
> >Sent: Tuesday, November 30, 2004 2:01 PM
> >Subject: Re: httpd avc denied problem
> >
> >
> >
> >
> >>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
> >>
> >>
> >>
> >>>  chcon -R -t httpd_log_t /var/www/*/logs/*
> >>>  service httpd start
> >>>
> >>>
> >>BTW, if this works, you'll want to do something to make the change
> >>permanent.  Otherwise, the next running of restorecon will hose your
> >>configuration.
> >>
> >>Two options jump to mind:
> >>
> >>* Move the logs into a path that will receive httpd_log_t, i.e.,
> >>/var/logs/httpd/
> >>
> >>* Install the policy sources (yum install
> >>selinux-policy-targeted-sources), and do the following:
> >>
> >>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
> >>
> >>2. Add this line:
> >>/var/www/.*/logs(/.*)?            system_u:object_r:httpd_log_t
> >>
> >>Feel free to correct my regexp, but I think it's right. :)
> >>
> >>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
> >>load'.  This will build and load the new policy directly into memory.
> >>
> >>4. If you now do restorecon, the /var/www/*/logs directories should get
> >>the proper context.
> >>
> >>Be aware that if you make another change to SELinux, especially using
> >>system-config-securitylevel, the file /.autorelabel may get created.
> >>That triggers a relabeling on reboot, and may hose any manual
> >>customizations not fixed in policy.
> >>
> >>- Karsten
> >>-- 
> >>Karsten Wade, RHCE, Tech Writer
> >>a lemon is just a melon in disguise
> >>http://people.redhat.com/kwade/
> >>gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41
> >>
> >>--
> >>fedora-selinux-list mailing list
> >>fedora-selinux-list at redhat.com
> >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>
> >>
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list at redhat.com
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list