httpd avc denied problem
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 30 19:25:35 UTC 2004
Arthur Stephens wrote:
>----- Original Message -----
>From: "Karsten Wade" <kwade at redhat.com>
>To: "Fedora SELinux support list for users & developers."
><fedora-selinux-list at redhat.com>
>Sent: Tuesday, November 30, 2004 5:03 AM
>Subject: Re: httpd avc denied problem
>
>
>
>
>>On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
>>
>>
>>>>/var/www/, as defined in
>>>>/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
>>>>
>>>>
>>>OK Mine is located someplace different
>>> /etc/selinux/targeted/context/files/file_contexts
>>>
>>>
>>Yeah, it's the same file as the one in the policy sources
>>(targeted/src/policy), which comes from the
>>selinux-policy-targeted-sources directory. You shouldn't need that
>>unless you have to customize the policy, which doesn't sound necessary
>>yet.
>>
>>
>>
>>>>/var/www(/.*)? system_u:object_r:httpd_sys_content_t
>>>>
>>>>It looks as if the httpd policy needs the logs to be a different type:
>>>>
>>>>
>>>Mine says the same...
>>>But there is a
>>>/etc/httpd/logs system_u:object_r:httpd_log_t
>>>
>>>
>>And this:
>>
>>/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
>>
>>I suppose either would work, since httpd_t can append to httpd_log_t and
>>httpd_runtime_t. httpd_log_t looks like the proper one to use.
>>
>>
>>
>>>But what puzzles me is why only this one log directory....all the others
>>>like it work...
>>>
>>>
>>This is with httpd_unified set to true?
>>
>>
>
>Yes actually mine says "active"
>
>AIUI, it must be set to true,
>
>
>>if httpd_t can append to httpd_sys_content_t.
>>
>>For 'ls -Z /var/www' are all the directories essentially the same
>>permissions? I'm not thinking the problem is regular UNIX permissions
>>because you got an AVC denial ... something is fishy.
>>
>>
>
>ls -Z /var/www
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>arthurstephens.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>birdshield.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
>cgi-bin
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t charlieh
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
>cvafoundation.org
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t davidh
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
>digitalcreations
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t jjakober
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t kodiaks
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>lindarosephoto.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>lwccspokane.org
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t pteraweb
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ptootie
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t punisher
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
>spokanewines.com
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t stevefm
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t suetkr
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>tangleheart.com
>drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
>drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t
>wag1designs
>
>
>
>>Does it error if you change the type of the log files to httpd_log_t?
>>I.e.,
>>
>> chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
>>
>>
>
>Issued the above command and then service httpd start
>
>Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied {
>append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
>ino=552157 scontext=root:system_r:httpd_t
>tcontext=system_u:object_r:httpd_sys_content_t tclass=file
>Nov 30 13:31:29 webmail httpd: httpd startup failed
>
>ls -Z /var/www/spokanewines.com/logs
>-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
>-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
>
>
Are you sure this error_log is the one represented by ino=552157???
>
>
>>Can you send in the avc: denied errors that you are getting? I can't
>>imagine how this would be a policy bug, but it's worth looking into.
>>
>>- Karsten
>>
>>
>>>EXAMPLES
>>>/var/www/arthurstephens.com/logs
>>>[root at webmail arthurstephens.com]# ls -alZ logs/
>>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
>>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
>>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>>access_log
>>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>>error_log
>>>
>>>/var/www/cvafoundation.org/logs
>>>[root at webmail cvafoundation.org]# ls -alZ logs/
>>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
>>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
>>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>>access_log
>>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>>error_log
>>>
>>>But this one fails...
>>>/var/www/spokanewines.com/logs
>>>[root at webmail spokanewines.com]# ls -alZ logs
>>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
>>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
>>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>>access_log
>>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>>error_log
>>>
>>>
>>--
>>Karsten Wade, RHCE, Tech Writer
>>a lemon is just a melon in disguise
>>http://people.redhat.com/kwade/
>>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list at redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list