I am new to SELinux and Fedora 3 - setting up a replacement server for
the one that got hacked
I transfered our websites over and discovered I had to have them all
under /usr/www/
Who or what does tell you this should be this way? /usr/ is the wrong place.
Ok I moved everything under /var/www.. ran fixfiles changed everything under httpd.conf to point to /var/www/... I got the same error messages just different directories
Being desperate to get this working I copied the error_log from a directory that was working ran fixfiles and got avc: denied { append } (13)Permission denied: httpd: could not open error log file /var/www/spokanewines.com/logs/error_log. Unable to open logs
[root@webmail ~]# cd /var/www/spokanewines.com/logs/ [root@webmail logs]# ls -alZ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
I tried to run system-config-securitylevel but there are no references to Boolean options for Apache HTTP just firewall options.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Alexander Dalloz" ad+lists@uni-x.org To: "For users of Fedora Core releases" fedora-list@redhat.com Sent: Monday, November 29, 2004 11:25 AM Subject: Re: httpd avc denied problem
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
On Mon, 2004-11-29 at 12:54, Arthur Stephens wrote:
I am new to SELinux and Fedora 3 - setting up a replacement server for
the one that got hacked
I transfered our websites over and discovered I had to have them all
under /usr/www/
Who or what does tell you this should be this way? /usr/ is the wrong place.
This convention has been in place for a while, it's just more challengin now to have Web files other than in /var/www/.
If you haven't seen this, it might help some more:
http://fedora.redhat.com/docs/selinux-apache-fc3/
Read on for some suggestions. If you are still stuck, drop by #fedora-selinux on irc.freenode.net.
Ok I moved everything under /var/www.. ran fixfiles changed everything under httpd.conf to point to /var/www/... I got the same error messages just different directories
Being desperate to get this working I copied the error_log from a directory that was working ran fixfiles
This should have worked if you ran 'fixfiles relabel'. However, 'restorecon -R /var/www/' should achieve the same thing, but much more quickly. Still, that will just set the files to the file type set for /var/www/, as defined in /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
allow httpd_t httpd_runtime_t : file { create ioctl read getattr lock write setattr append link unlink rename }; ^^^^^^ <- that's what we want to see
e.g:
ls /var/log/httpd/ -Z -rw-r--r-- root root root:object_r:httpd_runtime_t access_log -rw-r--r-- root root root:object_r:httpd_runtime_t access_log.1 -rw-r--r-- root root root:object_r:httpd_runtime_t access_log.2 -rw-r--r-- root root root:object_r:httpd_runtime_t error_log -rw-r--r-- root root root:object_r:httpd_runtime_t error_log.1 -rw-r--r-- root root root:object_r:httpd_runtime_t error_log.2 ...
You can try:
chcon -R -t httpd_runtime_t /var/www/*/logs
However, this labeling will likely get wiped out the next time restorecon or fixfiles relabel is run.
If your intention is to make the logs viewable via public HTTP, you might try moving them to /var/log/httpd/ and then symlinking the files to /var/www/*/logs. The symlinks should be created with httpd_sys_content_t, which is easily readable (just not neccesarily writable or appendable) by httpd. Running restorecon on the moved logs should make it Just Work (TM).
and got avc: denied { append } (13)Permission denied: httpd: could not open error log file /var/www/spokanewines.com/logs/error_log. Unable to open logs
[root@webmail ~]# cd /var/www/spokanewines.com/logs/ [root@webmail logs]# ls -alZ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
I tried to run system-config-securitylevel but there are no references to Boolean options for Apache HTTP just firewall options.
Which version of s-c-sl do you have? AIUI, the SELinux tab is automatically populated depending on what is in your policy. I have 1.4.18-2, fwiw.
Regardless, you can set the Booleans on the command line:
setsebool httpd_unified true
That is a troubleshooting Boolean you can try. Still, your setup should work, if it's just httpd trying to append to the httpd logs, and they are labeled correctly and/or in the correct location. Still, I'm certain that httpd_t can't append to a file that is set to httpd_sys_content_t unless httpd_unified is enabled. This makes me think that your log files are still labeled incorrectly.
If all of this fails, you can turn off the SELinux protection for just Apache by using:
setsebool httpd_disable_trans true
That will disable the transition for httpd, so it will run in the unconfined_t domain like the rest of the non-SELinux protected daemons. If you do that, please don't give up troubleshooting! Your situation should work, and if it doesn't, we all want to figure out why. :)
- Karsten
If you haven't seen this, it might help some more:
I was here but nothing there explained what was going on.
/var/www/, as defined in /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different /etc/selinux/targeted/context/files/file_contexts
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
Mine says the same... But there is a /etc/httpd/logs system_u:object_r:httpd_log_t
But what puzzles me is why only this one log directory....all the others like it work... EXAMPLES /var/www/arthurstephens.com/logs [root@webmail arthurstephens.com]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
/var/www/cvafoundation.org/logs [root@webmail cvafoundation.org]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
But this one fails... /var/www/spokanewines.com/logs [root@webmail spokanewines.com]# ls -alZ logs drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
If all of this fails, you can turn off the SELinux protection for just Apache by using:
setsebool httpd_disable_trans true
That will disable the transition for httpd, so it will run in the unconfined_t domain like the rest of the non-SELinux protected daemons. If you do that, please don't give up troubleshooting! Your situation should work, and if it doesn't, we all want to figure out why. :)
This would be the quickie fix but the main reason I am rebuilding these system is because they keep getting rootkit/hacked
I am under pressure from above to lock these things down.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
/var/www/, as defined in /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different /etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources (targeted/src/policy), which comes from the selinux-policy-targeted-sources directory. You shouldn't need that unless you have to customize the policy, which doesn't sound necessary yet.
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
Mine says the same... But there is a /etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and httpd_runtime_t. httpd_log_t looks like the proper one to use.
But what puzzles me is why only this one log directory....all the others like it work...
This is with httpd_unified set to true? AIUI, it must be set to true, if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same permissions? I'm not thinking the problem is regular UNIX permissions because you got an AVC denial ... something is fishy.
Does it error if you change the type of the log files to httpd_log_t? I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Can you send in the avc: denied errors that you are getting? I can't imagine how this would be a policy bug, but it's worth looking into.
- Karsten
EXAMPLES /var/www/arthurstephens.com/logs [root@webmail arthurstephens.com]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
/var/www/cvafoundation.org/logs [root@webmail cvafoundation.org]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
But this one fails... /var/www/spokanewines.com/logs [root@webmail spokanewines.com]# ls -alZ logs drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
----- Original Message ----- From: "Karsten Wade" kwade@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 5:03 AM Subject: Re: httpd avc denied problem
On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
/var/www/, as defined in /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different /etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources (targeted/src/policy), which comes from the selinux-policy-targeted-sources directory. You shouldn't need that unless you have to customize the policy, which doesn't sound necessary yet.
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
Mine says the same... But there is a /etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and httpd_runtime_t. httpd_log_t looks like the proper one to use.
But what puzzles me is why only this one log directory....all the others like it work...
This is with httpd_unified set to true?
Yes actually mine says "active"
AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same permissions? I'm not thinking the problem is regular UNIX permissions because you got an AVC denial ... something is fishy.
ls -Z /var/www drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha drwxr-xr-x root root system_u:object_r:httpd_sys_content_t arthurstephens.com drwxr-xr-x root root system_u:object_r:httpd_sys_content_t birdshield.com drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t charlieh drwxrwxrwx root root system_u:object_r:httpd_sys_content_t cvafoundation.org drwxrwxrwx root root system_u:object_r:httpd_sys_content_t davidh drwxrwxrwx root root system_u:object_r:httpd_sys_content_t digitalcreations drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons drwxrwxrwx root root system_u:object_r:httpd_sys_content_t jjakober drwxrwxrwx root root system_u:object_r:httpd_sys_content_t kodiaks drwxr-xr-x root root system_u:object_r:httpd_sys_content_t lindarosephoto.com drwxr-xr-x root root system_u:object_r:httpd_sys_content_t lwccspokane.org drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual drwxr-xr-x root root system_u:object_r:httpd_sys_content_t pteraweb drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ptootie drwxrwxrwx root root system_u:object_r:httpd_sys_content_t punisher drwxrwxrwx root root system_u:object_r:httpd_sys_content_t spokanewines.com drwxrwxrwx root root system_u:object_r:httpd_sys_content_t stevefm drwxrwxrwx root root system_u:object_r:httpd_sys_content_t suetkr drwxr-xr-x root root system_u:object_r:httpd_sys_content_t tangleheart.com drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t wag1designs
Does it error if you change the type of the log files to httpd_log_t? I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Issued the above command and then service httpd start
Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied { append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0 ino=552157 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Nov 30 13:31:29 webmail httpd: httpd startup failed
ls -Z /var/www/spokanewines.com/logs -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log
Can you send in the avc: denied errors that you are getting? I can't imagine how this would be a policy bug, but it's worth looking into.
- Karsten
EXAMPLES /var/www/arthurstephens.com/logs [root@webmail arthurstephens.com]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
/var/www/cvafoundation.org/logs [root@webmail cvafoundation.org]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
But this one fails... /var/www/spokanewines.com/logs [root@webmail spokanewines.com]# ls -alZ logs drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
-- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Arthur Stephens wrote:
----- Original Message ----- From: "Karsten Wade" kwade@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 5:03 AM Subject: Re: httpd avc denied problem
On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
/var/www/, as defined in /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different /etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources (targeted/src/policy), which comes from the selinux-policy-targeted-sources directory. You shouldn't need that unless you have to customize the policy, which doesn't sound necessary yet.
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
Mine says the same... But there is a /etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and httpd_runtime_t. httpd_log_t looks like the proper one to use.
But what puzzles me is why only this one log directory....all the others like it work...
This is with httpd_unified set to true?
Yes actually mine says "active"
AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same permissions? I'm not thinking the problem is regular UNIX permissions because you got an AVC denial ... something is fishy.
ls -Z /var/www drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha drwxr-xr-x root root system_u:object_r:httpd_sys_content_t arthurstephens.com drwxr-xr-x root root system_u:object_r:httpd_sys_content_t birdshield.com drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t charlieh drwxrwxrwx root root system_u:object_r:httpd_sys_content_t cvafoundation.org drwxrwxrwx root root system_u:object_r:httpd_sys_content_t davidh drwxrwxrwx root root system_u:object_r:httpd_sys_content_t digitalcreations drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons drwxrwxrwx root root system_u:object_r:httpd_sys_content_t jjakober drwxrwxrwx root root system_u:object_r:httpd_sys_content_t kodiaks drwxr-xr-x root root system_u:object_r:httpd_sys_content_t lindarosephoto.com drwxr-xr-x root root system_u:object_r:httpd_sys_content_t lwccspokane.org drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual drwxr-xr-x root root system_u:object_r:httpd_sys_content_t pteraweb drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ptootie drwxrwxrwx root root system_u:object_r:httpd_sys_content_t punisher drwxrwxrwx root root system_u:object_r:httpd_sys_content_t spokanewines.com drwxrwxrwx root root system_u:object_r:httpd_sys_content_t stevefm drwxrwxrwx root root system_u:object_r:httpd_sys_content_t suetkr drwxr-xr-x root root system_u:object_r:httpd_sys_content_t tangleheart.com drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t wag1designs
Does it error if you change the type of the log files to httpd_log_t? I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Issued the above command and then service httpd start
Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied { append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0 ino=552157 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Nov 30 13:31:29 webmail httpd: httpd startup failed
ls -Z /var/www/spokanewines.com/logs -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log
Are you sure this error_log is the one represented by ino=552157???
Can you send in the avc: denied errors that you are getting? I can't imagine how this would be a policy bug, but it's worth looking into.
- Karsten
EXAMPLES /var/www/arthurstephens.com/logs [root@webmail arthurstephens.com]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
/var/www/cvafoundation.org/logs [root@webmail cvafoundation.org]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
But this one fails... /var/www/spokanewines.com/logs [root@webmail spokanewines.com]# ls -alZ logs drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
-- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
opps.. I forgot to check /var/log/httpd/error_log Before (13)Permission denied: httpd: could not open error log file /var/www/spokanewines.com/logs/error_log. Unable to open logs After (13)Permission denied: httpd: could not open error log file /var/www/tangleheart.com/logs/error_log. Unable to open logs
Looks like it just switched to another directory....hmmmm
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 11:25 AM Subject: Re: httpd avc denied problem
Arthur Stephens wrote:
----- Original Message ----- From: "Karsten Wade" kwade@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 5:03 AM Subject: Re: httpd avc denied problem
On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
/var/www/, as defined in /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different /etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources (targeted/src/policy), which comes from the selinux-policy-targeted-sources directory. You shouldn't need that unless you have to customize the policy, which doesn't sound necessary yet.
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
Mine says the same... But there is a /etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and httpd_runtime_t. httpd_log_t looks like the proper one to use.
But what puzzles me is why only this one log directory....all the
others
like it work...
This is with httpd_unified set to true?
Yes actually mine says "active"
AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same permissions? I'm not thinking the problem is regular UNIX permissions because you got an AVC denial ... something is fishy.
ls -Z /var/www drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha drwxr-xr-x root root system_u:object_r:httpd_sys_content_t arthurstephens.com drwxr-xr-x root root system_u:object_r:httpd_sys_content_t birdshield.com drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
charlieh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t cvafoundation.org drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
davidh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t digitalcreations drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
jjakober
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
kodiaks
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t lindarosephoto.com drwxr-xr-x root root system_u:object_r:httpd_sys_content_t lwccspokane.org drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
manual
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
pteraweb
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
ptootie
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
punisher
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t spokanewines.com drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
stevefm
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
suetkr
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t tangleheart.com drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t wag1designs
Does it error if you change the type of the log files to httpd_log_t? I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Issued the above command and then service httpd start
Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied { append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0 ino=552157 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Nov 30 13:31:29 webmail httpd: httpd startup failed
ls -Z /var/www/spokanewines.com/logs -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log
Are you sure this error_log is the one represented by ino=552157???
Can you send in the avc: denied errors that you are getting? I can't imagine how this would be a policy bug, but it's worth looking into.
- Karsten
EXAMPLES /var/www/arthurstephens.com/logs [root@webmail arthurstephens.com]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
/var/www/cvafoundation.org/logs [root@webmail cvafoundation.org]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
But this one fails... /var/www/spokanewines.com/logs [root@webmail spokanewines.com]# ls -alZ logs drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
-- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Tue, 2004-11-30 at 11:41, Arthur Stephens wrote:
opps.. I forgot to check /var/log/httpd/error_log Before (13)Permission denied: httpd: could not open error log file /var/www/spokanewines.com/logs/error_log. Unable to open logs After (13)Permission denied: httpd: could not open error log file /var/www/tangleheart.com/logs/error_log.
I think I know what is going on
When httpd is starting, it tries to write to the logs, fails on the first one, issues an error, and quits. Since you fixed the labeling, it actually passed spokanewines.com/logs/error_log and went to the next one, where it errors again.
I'd reckon that it's going through your domains in the order they appear in httpd.conf.
Try this:
chcon -R -t httpd_log_t /var/www/*/logs/* service httpd start
- Karsten
Unable to open logs
Looks like it just switched to another directory....hmmmm
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 11:25 AM Subject: Re: httpd avc denied problem
Arthur Stephens wrote:
----- Original Message ----- From: "Karsten Wade" kwade@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 5:03 AM Subject: Re: httpd avc denied problem
On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
/var/www/, as defined in /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different /etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources (targeted/src/policy), which comes from the selinux-policy-targeted-sources directory. You shouldn't need that unless you have to customize the policy, which doesn't sound necessary yet.
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
Mine says the same... But there is a /etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and httpd_runtime_t. httpd_log_t looks like the proper one to use.
But what puzzles me is why only this one log directory....all the
others
like it work...
This is with httpd_unified set to true?
Yes actually mine says "active"
AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same permissions? I'm not thinking the problem is regular UNIX permissions because you got an AVC denial ... something is fishy.
ls -Z /var/www drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha drwxr-xr-x root root system_u:object_r:httpd_sys_content_t arthurstephens.com drwxr-xr-x root root system_u:object_r:httpd_sys_content_t birdshield.com drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t cgi-bin drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
charlieh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t cvafoundation.org drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
davidh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t digitalcreations drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
jjakober
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
kodiaks
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t lindarosephoto.com drwxr-xr-x root root system_u:object_r:httpd_sys_content_t lwccspokane.org drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
manual
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
pteraweb
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
ptootie
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
punisher
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t spokanewines.com drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
stevefm
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
suetkr
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t tangleheart.com drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t wag1designs
Does it error if you change the type of the log files to httpd_log_t? I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Issued the above command and then service httpd start
Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied { append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0 ino=552157 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Nov 30 13:31:29 webmail httpd: httpd startup failed
ls -Z /var/www/spokanewines.com/logs -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log
Are you sure this error_log is the one represented by ino=552157???
Can you send in the avc: denied errors that you are getting? I can't imagine how this would be a policy bug, but it's worth looking into.
- Karsten
EXAMPLES /var/www/arthurstephens.com/logs [root@webmail arthurstephens.com]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
/var/www/cvafoundation.org/logs [root@webmail cvafoundation.org]# ls -alZ logs/ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
But this one fails... /var/www/spokanewines.com/logs [root@webmail spokanewines.com]# ls -alZ logs drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t .. -rw-r--r-- root root system_u:object_r:httpd_sys_content_t access_log -rw-r--r-- root root system_u:object_r:httpd_sys_content_t error_log
-- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/* service httpd start
BTW, if this works, you'll want to do something to make the change permanent. Otherwise, the next running of restorecon will hose your configuration.
Two options jump to mind:
* Move the logs into a path that will receive httpd_log_t, i.e., /var/logs/httpd/
* Install the policy sources (yum install selinux-policy-targeted-sources), and do the following:
1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
2. Add this line: /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make load'. This will build and load the new policy directly into memory.
4. If you now do restorecon, the /var/www/*/logs directories should get the proper context.
Be aware that if you make another change to SELinux, especially using system-config-securitylevel, the file /.autorelabel may get created. That triggers a relabeling on reboot, and may hose any manual customizations not fixed in policy.
- Karsten
Karsten Wade wrote:
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/* service httpd start
BTW, if this works, you'll want to do something to make the change permanent. Otherwise, the next running of restorecon will hose your configuration.
Two options jump to mind:
- Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/
- Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
Add this line:
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
- In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'. This will build and load the new policy directly into memory.
- If you now do restorecon, the /var/www/*/logs directories should get
the proper context.
Be aware that if you make another change to SELinux, especially using system-config-securitylevel, the file /.autorelabel may get created. That triggers a relabeling on reboot, and may hose any manual customizations not fixed in policy.
- Karsten
/.autorelabel will only get created when switching from one type of policy to another (strict <--> targeted)
Looking back on this chain, it seems that if he had httpd_unified set it should have been able to write to the log files anyways, This might be a bug in policy?
- Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
It said I needed to have public GPG keys installed ????
Sorry, ignorance here. How do I download GPG keys for this?
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
Am Mi, den 01.12.2004 schrieb Arthur Stephens um 20:25:
- Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
It said I needed to have public GPG keys installed ????
Sorry, ignorance here. How do I download GPG keys for this?
http://www.fedoranews.org/tchung/yum-gpg
Arthur Stephens
Alexander
P.S. Not an SELinux topic, but while doing security settings, please still keep care for filesystem permissions!
[root@webmail ~]# cd /var/www/spokanewines.com/logs/ [root@webmail logs]# ls -alZ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t . drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
The chmod 777 for the "[root@webmail ~]# cd /var/www/spokanewines.com" directory is bad.
I installed the policy sources on my fedora core 3. :) Got to step one Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
There is no such file :( [root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ distros.fc misc program types.fc [root@webmail ~]#
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Karsten Wade" kwade@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 2:01 PM Subject: Re: httpd avc denied problem
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/* service httpd start
BTW, if this works, you'll want to do something to make the change permanent. Otherwise, the next running of restorecon will hose your configuration.
Two options jump to mind:
- Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/
- Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
Add this line:
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
- In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'. This will build and load the new policy directly into memory.
- If you now do restorecon, the /var/www/*/logs directories should get
the proper context.
Be aware that if you make another change to SELinux, especially using system-config-securitylevel, the file /.autorelabel may get created. That triggers a relabeling on reboot, and may hose any manual customizations not fixed in policy.
- Karsten
-- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Arthur Stephens wrote:
I installed the policy sources on my fedora core 3. :) Got to step one Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
There is no such file :( [root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ distros.fc misc program types.fc [root@webmail ~]#
Ok create a file in the misc directory called custom.fc, file_context file is only created via the make file.
echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >> misc/customer.fc Then rebuild policy
make load Now restorecon
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Karsten Wade" kwade@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 2:01 PM Subject: Re: httpd avc denied problem
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/* service httpd start
BTW, if this works, you'll want to do something to make the change permanent. Otherwise, the next running of restorecon will hose your configuration.
Two options jump to mind:
- Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/
- Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
Add this line:
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
- In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'. This will build and load the new policy directly into memory.
- If you now do restorecon, the /var/www/*/logs directories should get
the proper context.
Be aware that if you make another change to SELinux, especially using system-config-securitylevel, the file /.autorelabel may get created. That triggers a relabeling on reboot, and may hose any manual customizations not fixed in policy.
- Karsten
-- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Ok that solved that problem but showed up another one. I have a folder under /var/log/httpd called /mail which I put logs messages that come from Squirrel mail httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed'
I look at the /var/log/httpd directory and I do see this folder I created is labeled differently [root@webmail ~]# ls -Z /var/log/httpd/ -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t error_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1 drwxr-xr-x root root system_u:object_r:httpd_log_t mail -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_access_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_request_log
And here is what I have in my custom.fc /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail system_u:object_r:httpd_log_t
[root@webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root root:object_r:httpd_runtime_t error_log
After running fixfile relabel [root@webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root system_u:object_r:httpd_log_t error_log
service httpd start httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed'
So I am write in thinking at this point the problem is no longer with selinux?
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Thursday, December 02, 2004 10:46 AM Subject: Re: httpd avc denied problem
Arthur Stephens wrote:
I installed the policy sources on my fedora core 3. :) Got to step one Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
There is no such file :( [root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ distros.fc misc program types.fc [root@webmail ~]#
Ok create a file in the misc directory called custom.fc, file_context file is only created via the make file.
echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >>
misc/customer.fc
Then rebuild policy
make load Now restorecon
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Karsten Wade" kwade@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 2:01 PM Subject: Re: httpd avc denied problem
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/* service httpd start
BTW, if this works, you'll want to do something to make the change permanent. Otherwise, the next running of restorecon will hose your configuration.
Two options jump to mind:
- Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/
- Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
Add this line:
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
- In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'. This will build and load the new policy directly into memory.
- If you now do restorecon, the /var/www/*/logs directories should get
the proper context.
Be aware that if you make another change to SELinux, especially using system-config-securitylevel, the file /.autorelabel may get created. That triggers a relabeling on reboot, and may hose any manual customizations not fixed in policy.
- Karsten
-- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Arthur Stephens wrote:
Ok that solved that problem but showed up another one. I have a folder under /var/log/httpd called /mail which I put logs messages that come from Squirrel mail httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed'
I look at the /var/log/httpd directory and I do see this folder I created is labeled differently [root@webmail ~]# ls -Z /var/log/httpd/ -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t error_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1 drwxr-xr-x root root system_u:object_r:httpd_log_t mail -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_access_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_request_log
And here is what I have in my custom.fc /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail system_u:object_r:httpd_log_t
[root@webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root root:object_r:httpd_runtime_t error_log
After running fixfile relabel [root@webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root system_u:object_r:httpd_log_t error_log
service httpd start httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed'
So I am write in thinking at this point the problem is no longer with selinux?
I have no idea,
type setenforce 0 service httpd start
If this works, then the problem is SELinux, if not then it probably is not SELinux.
setenforce 0 turns off selinux protection. setenforce 1 turns it back on.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Daniel J Walsh" dwalsh@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Thursday, December 02, 2004 10:46 AM Subject: Re: httpd avc denied problem
Arthur Stephens wrote:
I installed the policy sources on my fedora core 3. :) Got to step one Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
There is no such file :( [root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ distros.fc misc program types.fc [root@webmail ~]#
Ok create a file in the misc directory called custom.fc, file_context file is only created via the make file.
echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >>
misc/customer.fc
Then rebuild policy
make load Now restorecon
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@ptera.net 509-927-Ptera
----- Original Message ----- From: "Karsten Wade" kwade@redhat.com To: "Fedora SELinux support list for users & developers." fedora-selinux-list@redhat.com Sent: Tuesday, November 30, 2004 2:01 PM Subject: Re: httpd avc denied problem
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/* service httpd start
BTW, if this works, you'll want to do something to make the change permanent. Otherwise, the next running of restorecon will hose your configuration.
Two options jump to mind:
- Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/
- Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
Add this line:
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
- In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'. This will build and load the new policy directly into memory.
- If you now do restorecon, the /var/www/*/logs directories should get
the proper context.
Be aware that if you make another change to SELinux, especially using system-config-securitylevel, the file /.autorelabel may get created. That triggers a relabeling on reboot, and may hose any manual customizations not fixed in policy.
- Karsten
-- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Helo List,
i have a problem sending mail from php script.
audit(1101900916.389:0): avc: denied { getattr } for pid=18363 exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sbin_t tclass=file
Everything other works very good with SELinux.
System FC3 Postfix, SELinux enforcing, targeted.
Thank you for any help.
selinux@lists.fedoraproject.org
-
Alexander Dalloz -
Arthur Stephens -
Daniel J Walsh -
Edy Corak -
Karsten Wade