On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> > /var/www/, as defined in
> > /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
>
> OK Mine is located someplace different
> /etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources
(targeted/src/policy), which comes from the
selinux-policy-targeted-sources directory. You shouldn't need that
unless you have to customize the policy, which doesn't sound necessary
yet.
> > /var/www(/.*)? system_u:object_r:httpd_sys_content_t
> >
> > It looks as if the httpd policy needs the logs to be a different type:
>
> Mine says the same...
> But there is a
> /etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and
httpd_runtime_t. httpd_log_t looks like the proper one to use.
> But what puzzles me is why only this one log directory....all the others
> like it work...
This is with httpd_unified set to true? AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same
permissions? I'm not thinking the problem is regular UNIX permissions
because you got an AVC denial ... something is fishy.
Does it error if you change the type of the log files to httpd_log_t?
I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Can you send in the avc: denied errors that you are getting? I can't
imagine how this would be a policy bug, but it's worth looking into.
- Karsten
> EXAMPLES
> /var/www/arthurstephens.com/logs
> [root@webmail arthurstephens.com]# ls -alZ logs/
> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> error_log
>
> /var/www/cvafoundation.org/logs
> [root@webmail cvafoundation.org]# ls -alZ logs/
> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> error_log
>
> But this one fails...
> /var/www/spokanewines.com/logs
> [root@webmail spokanewines.com]# ls -alZ logs
> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> error_log
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
|
