httpd avc denied problem
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 2 20:03:04 UTC 2004
Arthur Stephens wrote:
>Ok that solved that problem but showed up another one.
>I have a folder under /var/log/httpd
>called /mail
>which I put logs messages that come from Squirrel mail
>httpd fails with this informative message...
>'Unable to open logs'
>/var/log/messages
>'httpd: httpd startup failed'
>
>I look at the /var/log/httpd directory and I do see this folder I created is
>labeled differently
>[root at webmail ~]# ls -Z /var/log/httpd/
>-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
>-rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1
>-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
>-rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1
>drwxr-xr-x root root system_u:object_r:httpd_log_t mail
>-rw-r--r-- root root system_u:object_r:httpd_log_t
>ssl_access_log
>-rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log
>-rw-r--r-- root root system_u:object_r:httpd_log_t
>ssl_error_log.1
>-rw-r--r-- root root system_u:object_r:httpd_log_t
>ssl_request_log
>
>And here is what I have in my custom.fc
>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
>/var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t
>/var/log/httpd/mail system_u:object_r:httpd_log_t
>
>[root at webmail ~]# ls -Z /var/log/httpd/mail/
>-rw-r--r-- root root root:object_r:httpd_runtime_t error_log
>
>After running fixfile relabel
>[root at webmail ~]# ls -Z /var/log/httpd/mail/
>-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
>
>service httpd start
>httpd fails with this informative message...
>'Unable to open logs'
>/var/log/messages
>'httpd: httpd startup failed'
>
>So I am write in thinking at this point the problem is no longer with
>selinux?
>
>
I have no idea,
type
setenforce 0
service httpd start
If this works, then the problem is SELinux, if not then it probably is
not SELinux.
setenforce 0 turns off selinux protection. setenforce 1 turns it back on.
>Arthur Stephens
>Sales Technician
>Ptera Wireless Internet
>astephens at ptera.net
>509-927-Ptera
>
>----- Original Message -----
>From: "Daniel J Walsh" <dwalsh at redhat.com>
>To: "Fedora SELinux support list for users & developers."
><fedora-selinux-list at redhat.com>
>Sent: Thursday, December 02, 2004 10:46 AM
>Subject: Re: httpd avc denied problem
>
>
>
>
>>Arthur Stephens wrote:
>>
>>
>>
>>>I installed the policy sources on my fedora core 3. :)
>>>Got to step one
>>>Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>>>
>>>There is no such file :(
>>>[root at webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
>>>distros.fc misc program types.fc
>>>[root at webmail ~]#
>>>
>>>
>>>
>>>
>>Ok create a file in the misc directory called custom.fc, file_context
>>file is only created via the make file.
>>
>>echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >>
>>
>>
>misc/customer.fc
>
>
>>Then rebuild policy
>>
>>make load
>>Now restorecon
>>
>>
>>
>>
>>
>>>Arthur Stephens
>>>Sales Technician
>>>Ptera Wireless Internet
>>>astephens at ptera.net
>>>509-927-Ptera
>>>
>>>----- Original Message -----
>>>From: "Karsten Wade" <kwade at redhat.com>
>>>To: "Fedora SELinux support list for users & developers."
>>><fedora-selinux-list at redhat.com>
>>>Sent: Tuesday, November 30, 2004 2:01 PM
>>>Subject: Re: httpd avc denied problem
>>>
>>>
>>>
>>>
>>>
>>>
>>>>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> chcon -R -t httpd_log_t /var/www/*/logs/*
>>>>> service httpd start
>>>>>
>>>>>
>>>>>
>>>>>
>>>>BTW, if this works, you'll want to do something to make the change
>>>>permanent. Otherwise, the next running of restorecon will hose your
>>>>configuration.
>>>>
>>>>Two options jump to mind:
>>>>
>>>>* Move the logs into a path that will receive httpd_log_t, i.e.,
>>>>/var/logs/httpd/
>>>>
>>>>* Install the policy sources (yum install
>>>>selinux-policy-targeted-sources), and do the following:
>>>>
>>>>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>>>>
>>>>2. Add this line:
>>>>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
>>>>
>>>>Feel free to correct my regexp, but I think it's right. :)
>>>>
>>>>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
>>>>load'. This will build and load the new policy directly into memory.
>>>>
>>>>4. If you now do restorecon, the /var/www/*/logs directories should get
>>>>the proper context.
>>>>
>>>>Be aware that if you make another change to SELinux, especially using
>>>>system-config-securitylevel, the file /.autorelabel may get created.
>>>>That triggers a relabeling on reboot, and may hose any manual
>>>>customizations not fixed in policy.
>>>>
>>>>- Karsten
>>>>--
>>>>Karsten Wade, RHCE, Tech Writer
>>>>a lemon is just a melon in disguise
>>>>http://people.redhat.com/kwade/
>>>>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
>>>>
>>>>--
>>>>fedora-selinux-list mailing list
>>>>fedora-selinux-list at redhat.com
>>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>
>>>>
>>>>
>>>>
>>>--
>>>fedora-selinux-list mailing list
>>>fedora-selinux-list at redhat.com
>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>>>
>>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list at redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list