Re: Certbot error - SOLVED (?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chris Adams wrote:
> Once upon a time, Mike Wright <nobody@xxxxxxxxxxxxxxxxxxxx> said:
>> I don't understand how his logs are accessible to the web.  They are
>> not under the DocumentRoot.  error.log is above it and access.log is
>> next to it.  Is it somehow possible for a client to reach above / ?
> 
> I didn't look at the posted configs (I haven't run Apache in ages,
> switched to nginx), so I didn't know the DocumentRoot.  I just saw the
> directory path as /var/www/<domain>, which I've seen lots of people use
> as their DocumentRoot.

It looked odd to me as well.  Apparently, the SELinux policy
tries to help with such a configuration (though it wouldn't
match Patrick's).

Checking the labeling via `semanage fcontext -l` the
following patterns are in place (among many others for
/var/www/*):

SELinux fcontext            type        Context
===============================================
/var/www(/.*)?              all files   system_u:object_r:httpd_sys_content_t:s0 
/var/www(/.*)?/logs(/.*)?   all files   system_u:object_r:httpd_log_t:s0 

Neither of these would match the log files in the
configuration posted earlier:

    <VirtualHost *:80>
	ServerName bree.org.uk
	ServerAdmin pocallaghan@xxxxxxxxx
	DocumentRoot /var/www/bree.org.uk/html
	ErrorLog /var/www/bree.org.uk/error.log
	CustomLog /var/www/bree.org.uk/log/access.log combined
    </VirtualHost>

So while the logs wouldn't be served up by httpd as part of
the document root, they would both be denied by SELinux
AFAICT.

Putting them both under /var/www/bree.org.uk/logs/ would
help in that respect; though personally I'd put them under
/var/log/httpd unless I were running a web hosting service
or something¹.

¹ and if I'm ever running a web hosting service, I have
  likely lost my mind and should be ignored (more so than I
  am now, if that's possible).

-- 
Todd

Attachment: signature.asc
Description: PGP signature

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux