httpd avc denied problem

Karsten Wade kwade at redhat.com
Tue Nov 30 13:03:51 UTC 2004 

On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> > /var/www/, as defined in
> > /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
> 
> OK Mine is  located someplace different
>  /etc/selinux/targeted/context/files/file_contexts

Yeah, it's the same file as the one in the policy sources
(targeted/src/policy), which comes from the
selinux-policy-targeted-sources directory.  You shouldn't need that
unless you have to customize the policy, which doesn't sound necessary
yet.

> > /var/www(/.*)?                  system_u:object_r:httpd_sys_content_t
> >
> > It looks as if the httpd policy needs the logs to be a different type:
> 
> Mine says the same...
> But there is a
> /etc/httpd/logs                        system_u:object_r:httpd_log_t

And this:

/var/log/httpd(/.*)?            system_u:object_r:httpd_log_t

I suppose either would work, since httpd_t can append to httpd_log_t and
httpd_runtime_t.  httpd_log_t looks like the proper one to use.

> But what puzzles me is why only this one log directory....all the others
> like it work...

This is with httpd_unified set to true?  AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.

For 'ls -Z /var/www' are all the directories essentially the same
permissions?  I'm not thinking the problem is regular UNIX permissions
because you got an AVC denial ... something is fishy.

Does it error if you change the type of the log files to httpd_log_t? 
I.e., 

  chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*

Can you send in the avc:  denied errors that you are getting?  I can't
imagine how this would be a policy bug, but it's worth looking into.

- Karsten
> EXAMPLES
> /var/www/arthurstephens.com/logs
> [root at webmail arthurstephens.com]# ls -alZ logs/
> drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> error_log
> 
> /var/www/cvafoundation.org/logs
> [root at webmail cvafoundation.org]# ls -alZ logs/
> drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> error_log
> 
> But this one fails...
> /var/www/spokanewines.com/logs
> [root at webmail spokanewines.com]# ls -alZ logs
> drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> error_log

-- 
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41

More information about the fedora-selinux-list mailing list