httpd avc denied problem
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 30 22:05:24 UTC 2004
Karsten Wade wrote:
>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
>
>
>
>> chcon -R -t httpd_log_t /var/www/*/logs/*
>> service httpd start
>>
>>
>
>BTW, if this works, you'll want to do something to make the change
>permanent. Otherwise, the next running of restorecon will hose your
>configuration.
>
>Two options jump to mind:
>
>* Move the logs into a path that will receive httpd_log_t, i.e.,
>/var/logs/httpd/
>
>* Install the policy sources (yum install
>selinux-policy-targeted-sources), and do the following:
>
>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>
>2. Add this line:
>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
>
>Feel free to correct my regexp, but I think it's right. :)
>
>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
>load'. This will build and load the new policy directly into memory.
>
>4. If you now do restorecon, the /var/www/*/logs directories should get
>the proper context.
>
>Be aware that if you make another change to SELinux, especially using
>system-config-securitylevel, the file /.autorelabel may get created.
>That triggers a relabeling on reboot, and may hose any manual
>customizations not fixed in policy.
>
>- Karsten
>
>
/.autorelabel will only get created when switching from one type of
policy to another (strict <--> targeted)
Looking back on this chain, it seems that if he had httpd_unified set it
should have been able to write to the log files anyways,
This might be a bug in policy?
More information about the fedora-selinux-list
mailing list