problem with selinux-policy-targeted FC3
Bob Kashani
bobk at ocf.berkeley.edu
Sun Jun 19 05:46:49 UTC 2005
On Sun, 2005-06-19 at 02:30 +0200, Peter Magnusson wrote:
> I run FC3 on an box. I have selinux enabled. Last selinux-policy-targeted
> fucked up so my webserver didnt start, I think its very irresponsible of
> the fedora team to fuckup a lot of peoples httpds like this.
> I have;
> apt-get update &>/dev/null
> apt-get upgrade -y
> in cron.daily.
>
> I have many vhosts. All are in /www like /www/domain1.net /www/domain2.net
> and so on. If it matters its NFS exported to an other computer running FC3.
> No, I dont wanna move it to /var/www .
>
> It would say;
>
> Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se]
> does not exist
> Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc: denied {
> search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t
> tclass=dir
> Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se]
> does not exist
> Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc: denied {
> search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t
> tclass=dir
> Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se]
> does not exist
> Jun 19 00:32:27 sysbabe kernel: audit(1119133946.359:0): avc: denied {
> search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t
> tclass=dir
> Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se]
> does not exist
> Jun 19 00:32:27 sysbabe kernel: audit(1119133946.361:0): avc: denied {
> search } for pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t
> tclass=dir
>
> on EACH subdir inside /www. I know nothing about selinux, only restorecon.
> I tried restorecon -R /www/ but it didnt help.
>
> I got some help on irc (thanks again) and did
> setsebool -P httpd_disable_trans 1 and now the webserver at least work. But
> I guess the PROPER way would be to set system_r:httpd_t perms on all files
> inside /www ? But how do I do that without rebooting?
> touch /.autorelabel and reboot... is a reboot.
Hrmm...all my www dirs are labeled either as:
system_u:object_r:httpd_sys_content_t
or
user_u:object_r:httpd_user_content_t
To change the selinux context you can use "chcon":
chcon -R system_u:object_r:httpd_sys_content_t www
Bob
--
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome
More information about the fedora-selinux-list
mailing list