problem with selinux-policy-targeted FC3

Bob Kashani bobk at ocf.berkeley.edu
Sun Jun 19 05:46:49 UTC 2005 

On Sun, 2005-06-19 at 02:30 +0200, Peter Magnusson wrote:
> I run FC3 on an box. I have selinux enabled. Last selinux-policy-targeted 
> fucked up so my webserver didnt start, I think its very irresponsible of 
> the fedora team to fuckup a lot of peoples httpds like this.
> I have;
> apt-get update &>/dev/null
> apt-get upgrade -y
> in cron.daily.
> 
> I have many vhosts. All are in /www like /www/domain1.net /www/domain2.net
> and so on. If it matters its NFS exported to an other computer running FC3.
> No, I dont wanna move it to /var/www .
> 
> It would say;
> 
> Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] 
> does not exist
> Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc:  denied  { 
> search } for  pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t 
> tclass=dir
> Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] 
> does not exist
> Jun 19 00:32:27 sysbabe kernel: audit(1119133946.358:0): avc:  denied  { 
> search } for  pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t 
> tclass=dir
> Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] 
> does not exist
> Jun 19 00:32:27 sysbabe kernel: audit(1119133946.359:0): avc:  denied  { 
> search } for  pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t 
> tclass=dir
> Jun 19 00:32:27 sysbabe httpd: Warning: DocumentRoot [/www/eurobeat.se] 
> does not exist
> Jun 19 00:32:27 sysbabe kernel: audit(1119133946.361:0): avc:  denied  { 
> search } for  pid=30644 exe=/usr/sbin/httpd name=/ dev=hda2 ino=2 
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t 
> tclass=dir
> 
> on EACH subdir inside /www. I know nothing about selinux, only restorecon. 
> I tried restorecon -R /www/ but it didnt help.
> 
> I got some help on irc (thanks again) and did
> setsebool -P httpd_disable_trans 1 and now the webserver at least work. But 
> I guess the PROPER way would be to set system_r:httpd_t perms on all files 
> inside /www ? But how do I do that without rebooting?
> touch /.autorelabel and reboot... is a reboot.

Hrmm...all my www dirs are labeled either as: 

system_u:object_r:httpd_sys_content_t
or
user_u:object_r:httpd_user_content_t

To change the selinux context you can use "chcon":

chcon -R system_u:object_r:httpd_sys_content_t www

Bob

-- 
Bob Kashani
http://www.ocf.berkeley.edu/~bobk/garnome

More information about the fedora-selinux-list mailing list