logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: httpd avc denied problem: msg#00144

Subject: Re: httpd avc denied problem 
opps.. I forgot to check /var/log/httpd/error_log
Before
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
After
(13)Permission denied: httpd: could not open error log file
/var/www/tangleheart.com/logs/error_log.
Unable to open logs

Looks like it just switched to another directory....hmmmm

----- Original Message ----- 
From: "Daniel J Walsh" <dwalsh@xxxxxxxxxx>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list@xxxxxxxxxx>
Sent: Tuesday, November 30, 2004 11:25 AM
Subject: Re: httpd avc denied problem


> Arthur Stephens wrote:
>
> >----- Original Message ----- 
> >From: "Karsten Wade" <kwade@xxxxxxxxxx>
> >To: "Fedora SELinux support list for users & developers."
> ><fedora-selinux-list@xxxxxxxxxx>
> >Sent: Tuesday, November 30, 2004 5:03 AM
> >Subject: Re: httpd avc denied problem
> >
> >
> >
> >
> >>On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> >>
> >>
> >>>>/var/www/, as defined in
> >>>>/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
> >>>>
> >>>>
> >>>OK Mine is  located someplace different
> >>> /etc/selinux/targeted/context/files/file_contexts
> >>>
> >>>
> >>Yeah, it's the same file as the one in the policy sources
> >>(targeted/src/policy), which comes from the
> >>selinux-policy-targeted-sources directory.  You shouldn't need that
> >>unless you have to customize the policy, which doesn't sound necessary
> >>yet.
> >>
> >>
> >>
> >>>>/var/www(/.*)?                  system_u:object_r:httpd_sys_content_t
> >>>>
> >>>>It looks as if the httpd policy needs the logs to be a different type:
> >>>>
> >>>>
> >>>Mine says the same...
> >>>But there is a
> >>>/etc/httpd/logs                        system_u:object_r:httpd_log_t
> >>>
> >>>
> >>And this:
> >>
> >>/var/log/httpd(/.*)?            system_u:object_r:httpd_log_t
> >>
> >>I suppose either would work, since httpd_t can append to httpd_log_t and
> >>httpd_runtime_t.  httpd_log_t looks like the proper one to use.
> >>
> >>
> >>
> >>>But what puzzles me is why only this one log directory....all the
others
> >>>like it work...
> >>>
> >>>
> >>This is with httpd_unified set to true?
> >>
> >>
> >
> >Yes actually mine says "active"
> >
> >AIUI, it must be set to true,
> >
> >
> >>if httpd_t can append to httpd_sys_content_t.
> >>
> >>For 'ls -Z /var/www' are all the directories essentially the same
> >>permissions?  I'm not thinking the problem is regular UNIX permissions
> >>because you got an AVC denial ... something is fishy.
> >>
> >>
> >
> >ls -Z /var/www
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t aha
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >arthurstephens.com
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >birdshield.com
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_script_exec_t
> >cgi-bin
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
charlieh
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> >cvafoundation.org
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
davidh
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> >digitalcreations
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t error
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t html
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t icons
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
jjakober
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
kodiaks
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >lindarosephoto.com
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >lwccspokane.org
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
manual
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
pteraweb
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
ptootie
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
punisher
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> >spokanewines.com
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
stevefm
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
suetkr
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >tangleheart.com
> >drwxr-xr-x  webalize root     system_u:object_r:httpd_sys_content_t usage
> >drwxrwxrwx  apache   apache   system_u:object_r:httpd_sys_content_t
> >wag1designs
> >
> >
> >
> >>Does it error if you change the type of the log files to httpd_log_t?
> >>I.e.,
> >>
> >>  chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
> >>
> >>
> >
> >Issued the above command and then service httpd start
> >
> >Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc:  denied  {
> >append } for  pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
> >ino=552157 scontext=root:system_r:httpd_t
> >tcontext=system_u:object_r:httpd_sys_content_t tclass=file
> >Nov 30 13:31:29 webmail httpd: httpd startup failed
> >
> >ls -Z /var/www/spokanewines.com/logs
> >-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log
> >-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log
> >
> >
>
> Are you sure this error_log is the one represented by  ino=552157???
>
> >
> >
> >>Can you send in the avc:  denied errors that you are getting?  I can't
> >>imagine how this would be a policy bug, but it's worth looking into.
> >>
> >>- Karsten
> >>
> >>
> >>>EXAMPLES
> >>>/var/www/arthurstephens.com/logs
> >>>[root@webmail arthurstephens.com]# ls -alZ logs/
> >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>/var/www/cvafoundation.org/logs
> >>>[root@webmail cvafoundation.org]# ls -alZ logs/
> >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>But this one fails...
> >>>/var/www/spokanewines.com/logs
> >>>[root@webmail spokanewines.com]# ls -alZ logs
> >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>
> >>-- 
> >>Karsten Wade, RHCE, Tech Writer
> >>a lemon is just a melon in disguise
> >>http://people.redhat.com/kwade/
> >>gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41
> >>
> >>--
> >>fedora-selinux-list mailing list
> >>fedora-selinux-list@xxxxxxxxxx
> >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>
> >>
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list@xxxxxxxxxx
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: httpd avc denied problem, Daniel J Walsh
Next by Date:  Re: httpd avc denied problem, Karsten Wade
Previous by Thread:  Re: httpd avc denied problem, Daniel J Walsh
Next by Thread:  Re: httpd avc denied problem, Karsten Wade
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation