httpd avc denied problem
Arthur Stephens
astephens at ptera.net
Tue Nov 30 19:02:59 UTC 2004
----- Original Message -----
From: "Karsten Wade" <kwade at redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list at redhat.com>
Sent: Tuesday, November 30, 2004 5:03 AM
Subject: Re: httpd avc denied problem
> On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> > > /var/www/, as defined in
> > > /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
> >
> > OK Mine is located someplace different
> > /etc/selinux/targeted/context/files/file_contexts
>
> Yeah, it's the same file as the one in the policy sources
> (targeted/src/policy), which comes from the
> selinux-policy-targeted-sources directory. You shouldn't need that
> unless you have to customize the policy, which doesn't sound necessary
> yet.
>
> > > /var/www(/.*)? system_u:object_r:httpd_sys_content_t
> > >
> > > It looks as if the httpd policy needs the logs to be a different type:
> >
> > Mine says the same...
> > But there is a
> > /etc/httpd/logs system_u:object_r:httpd_log_t
>
> And this:
>
> /var/log/httpd(/.*)? system_u:object_r:httpd_log_t
>
> I suppose either would work, since httpd_t can append to httpd_log_t and
> httpd_runtime_t. httpd_log_t looks like the proper one to use.
>
> > But what puzzles me is why only this one log directory....all the others
> > like it work...
>
> This is with httpd_unified set to true?
Yes actually mine says "active"
AIUI, it must be set to true,
> if httpd_t can append to httpd_sys_content_t.
>
> For 'ls -Z /var/www' are all the directories essentially the same
> permissions? I'm not thinking the problem is regular UNIX permissions
> because you got an AVC denial ... something is fishy.
ls -Z /var/www
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
arthurstephens.com
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
birdshield.com
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
cgi-bin
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t charlieh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
cvafoundation.org
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t davidh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
digitalcreations
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t jjakober
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t kodiaks
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
lindarosephoto.com
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
lwccspokane.org
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t pteraweb
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ptootie
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t punisher
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
spokanewines.com
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t stevefm
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t suetkr
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
tangleheart.com
drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t
wag1designs
>
> Does it error if you change the type of the log files to httpd_log_t?
> I.e.,
>
> chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Issued the above command and then service httpd start
Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied {
append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
ino=552157 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Nov 30 13:31:29 webmail httpd: httpd startup failed
ls -Z /var/www/spokanewines.com/logs
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
> Can you send in the avc: denied errors that you are getting? I can't
> imagine how this would be a policy bug, but it's worth looking into.
>
> - Karsten
> > EXAMPLES
> > /var/www/arthurstephens.com/logs
> > [root at webmail arthurstephens.com]# ls -alZ logs/
> > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
> > -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> > access_log
> > -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> > error_log
> >
> > /var/www/cvafoundation.org/logs
> > [root at webmail cvafoundation.org]# ls -alZ logs/
> > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> > drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> > -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> > access_log
> > -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> > error_log
> >
> > But this one fails...
> > /var/www/spokanewines.com/logs
> > [root at webmail spokanewines.com]# ls -alZ logs
> > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> > drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> > -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> > access_log
> > -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> > error_log
>
> --
> Karsten Wade, RHCE, Tech Writer
> a lemon is just a melon in disguise
> http://people.redhat.com/kwade/
> gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list