logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: httpd avc denied problem: msg#00140

Subject: Re: httpd avc denied problem 
On Mon, 2004-11-29 at 12:54, Arthur Stephens wrote:
> >> I am new to SELinux and Fedora 3 - setting up a replacement server for
> the one that got hacked
> >> I transfered our websites over and discovered I had to have them all
> under /usr/www/
> 
> >>Who or what does tell you this should be this way? /usr/ is the wrong
> >>place.

This convention has been in place for a while, it's just more challengin
now to have Web files other than in /var/www/.

If you haven't seen this, it might help some more:

http://fedora.redhat.com/docs/selinux-apache-fc3/

Read on for some suggestions.  If you are still stuck, drop by
#fedora-selinux on irc.freenode.net.

> Ok I moved everything under /var/www..
> ran fixfiles
> changed everything under httpd.conf to point to /var/www/...
> I got the same error messages just different directories
> 
> Being desperate to get this working I copied the error_log from a directory
> that was working
> ran fixfiles

This should have worked if you ran 'fixfiles relabel'.  However,
'restorecon -R /var/www/' should achieve the same thing, but much more
quickly.  Still, that will just set the files to the file type set for
/var/www/, as defined in
/etc/selinux/targeted/src/policy/file_contexts/file_contexts:

/var/www(/.*)?                  system_u:object_r:httpd_sys_content_t

It looks as if the httpd policy needs the logs to be a different type:

allow  httpd_t  httpd_runtime_t : file  { create ioctl read getattr lock
write setattr append link unlink rename };
              ^^^^^^ <- that's what we want to see

e.g:

ls /var/log/httpd/ -Z
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    access_log
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    access_log.1
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    access_log.2
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    error_log
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    error_log.1
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    error_log.2
...

You can try:

  chcon -R -t httpd_runtime_t /var/www/*/logs

However, this labeling will likely get wiped out the next time
restorecon or fixfiles relabel is run.

If your intention is to make the logs viewable via public HTTP, you
might try moving them to /var/log/httpd/ and then symlinking the files
to /var/www/*/logs.  The symlinks should be created with
httpd_sys_content_t, which is easily readable (just not neccesarily
writable or appendable) by httpd.  Running restorecon on the moved logs
should make it Just Work (TM).

> and got avc:  denied  { append }
> (13)Permission denied: httpd: could not open error log file
> /var/www/spokanewines.com/logs/error_log.
> Unable to open logs
> 
> [root@webmail ~]# cd /var/www/spokanewines.com/logs/
> [root@webmail logs]# ls -alZ
> drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> error_log
> 
> I tried to run
> system-config-securitylevel
> but there are no references to Boolean options for Apache HTTP
> just firewall options.

Which version of s-c-sl do you have?  AIUI, the SELinux tab is
automatically populated depending on what is in your policy.  I have
1.4.18-2, fwiw.

Regardless, you can set the Booleans on the command line:

  setsebool httpd_unified true

That is a troubleshooting Boolean you can try.  Still, your setup should
work, if it's just httpd trying to append to the httpd logs, and they
are labeled correctly and/or in the correct location.  Still, I'm 
certain that httpd_t can't append to a file that is set to
httpd_sys_content_t unless httpd_unified is enabled.  This makes me
think that your log files are still labeled incorrectly.

If all of this fails, you can turn off the SELinux protection for just
Apache by using:

  setsebool httpd_disable_trans true

That will disable the transition for httpd, so it will run in the
unconfined_t domain like the rest of the non-SELinux protected daemons. 
If you do that, please don't give up troubleshooting!  Your situation
should work, and if it doesn't, we all want to figure out why. :)

- Karsten
-- 
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: /etc/rc.sysinit: restorecon being run even when selinux disabled, Bill Nottingham
Next by Date:  Re: httpd avc denied problem, Arthur Stephens
Previous by Thread:  Re: httpd avc denied problem, Arthur Stephens
Next by Thread:  Re: httpd avc denied problem, Arthur Stephens
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation