[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: httpd avc denied problem



Arthur Stephens wrote:

Ok that solved that problem but showed up another one.
I have a folder under /var/log/httpd
called /mail
which I put logs messages that come from Squirrel mail
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'

I look at the /var/log/httpd directory and I do see this folder I created is
labeled differently
[root webmail ~]# ls -Z /var/log/httpd/
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log.1
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log.1
drwxr-xr-x  root     root    system_u:object_r:httpd_log_t        mail
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_access_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    ssl_error_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_error_log.1
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_request_log

And here is what I have in my custom.fc
/var/www/.*/logs(/.*)?            system_u:object_r:httpd_log_t
/var/log/httpd/mail(/.*)?               system_u:object_r:httpd_log_t
/var/log/httpd/mail                     system_u:object_r:httpd_log_t

[root webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r--  root     root     root:object_r:httpd_runtime_t    error_log

After running fixfile relabel
[root webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log

service httpd start
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'

So I am write in thinking at this point the problem is no longer with
selinux?


I have no idea,

type
setenforce 0
service httpd start

If this works, then the problem is SELinux, if not then it probably is not SELinux.

setenforce 0 turns off selinux protection. setenforce 1 turns it back on.

Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens ptera net
509-927-Ptera

----- Original Message ----- From: "Daniel J Walsh" <dwalsh redhat com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list redhat com>
Sent: Thursday, December 02, 2004 10:46 AM
Subject: Re: httpd avc denied problem





Arthur Stephens wrote:



I installed the policy sources on my fedora core 3. :)
Got to step one
Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts

There is no such file  :(
[root webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
distros.fc  misc  program  types.fc
[root webmail ~]#




Ok create a file in the misc directory called custom.fc, file_context
file is only created via the make file.

echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >>


misc/customer.fc


Then rebuild policy

make load
Now restorecon





Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens ptera net
509-927-Ptera

----- Original Message ----- From: "Karsten Wade" <kwade redhat com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list redhat com>
Sent: Tuesday, November 30, 2004 2:01 PM
Subject: Re: httpd avc denied problem







On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:





chcon -R -t httpd_log_t /var/www/*/logs/*
service httpd start




BTW, if this works, you'll want to do something to make the change
permanent.  Otherwise, the next running of restorecon will hose your
configuration.

Two options jump to mind:

* Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/

* Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:

1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts

2. Add this line:
/var/www/.*/logs(/.*)?            system_u:object_r:httpd_log_t

Feel free to correct my regexp, but I think it's right. :)

3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'.  This will build and load the new policy directly into memory.

4. If you now do restorecon, the /var/www/*/logs directories should get
the proper context.

Be aware that if you make another change to SELinux, especially using
system-config-securitylevel, the file /.autorelabel may get created.
That triggers a relabeling on reboot, and may hose any manual
customizations not fixed in policy.

- Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list



--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]