Move httpd root, selinux help
Moray Henderson
Moray.Henderson at ict-software.org
Mon Jan 4 15:41:11 UTC 2010
tony at specialistdevelopment.com wrote:
>Hi,
>
>Wishing everyone a happy new year!
>
>Can anyone point me in the right direction with a problem im having
>with selinux and httpd please?
>
>I have created a virtual host and have created the directory structure:
>
>/vhosts/domain.tld/htdocs # Document root
>/vhosts/domain.tld/logs # Log root
>/vhosts/domain.tld/private # Private root
>
>I have set the contexts and they display as:
>
>[root at server htdocs]# ls -laZ /vhosts/domain.tld/htdocs
>drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
>drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
>-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
>index.html
>
>[root at server htdocs]# ls -laZ /vhosts/domain.tld/logs
>drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 .
>drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
>
>so to me this looks like it has the right contexts.
>
>when i try to start apache i get the following error:
>
>[root at server htdocs]# /sbin/service httpd start
>Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does
>not exist
>httpd: Could not reliably determine the server's fully qualified
>domain name, using ::1 for ServerName
> [FAILED]
>
>now i know the directory exists, which confuses me. below are the error
>logs:
>
>[root at server htdocs]# tail /var/log/httpd/error_log
>(13)Permission denied: httpd: could not open error log file
>/wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/erro
r.l
>og.
>Unable to open logs
>
>Can anyone help as i am really stuck.
>
>Thankyou in advance!
>
>Tony
I have found that apache needs at least search access to _all_ the
directories in the hierarchy - so your /vhosts and your
/vhosts/domain.tld directories both need to be some type that apache can
search.
Also check /var/log/audit/audit.log (or ausearch) for the precise denial
message.
Moray.
"To err is human. To purr, feline"
More information about the fedora-selinux-list
mailing list