Re: httpd avc denied problem

"Arthur Stephens" <astephens@xxxxxxxxx> · Mon, 29 Nov 2004 16:53:54 -0800

>If you haven't seen this, it might help some more:

>http://fedora.redhat.com/docs/selinux-apache-fc3/

I was here but nothing there explained what was going on.

> /var/www/, as defined in
> /etc/selinux/targeted/src/policy/file_contexts/file_contexts:

OK Mine is  located someplace different
 /etc/selinux/targeted/context/files/file_contexts

>
> /var/www(/.*)?                  system_u:object_r:httpd_sys_content_t
>
> It looks as if the httpd policy needs the logs to be a different type:

Mine says the same...
But there is a
/etc/httpd/logs                        system_u:object_r:httpd_log_t

But what puzzles me is why only this one log directory....all the others
like it work...
EXAMPLES
/var/www/arthurstephens.com/logs
[root@webmail arthurstephens.com]# ls -alZ logs/
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
error_log

/var/www/cvafoundation.org/logs
[root@webmail cvafoundation.org]# ls -alZ logs/
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
error_log

But this one fails...
/var/www/spokanewines.com/logs
[root@webmail spokanewines.com]# ls -alZ logs
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
error_log

> If all of this fails, you can turn off the SELinux protection for just
> Apache by using:
>
>   setsebool httpd_disable_trans true
>
> That will disable the transition for httpd, so it will run in the
> unconfined_t domain like the rest of the non-SELinux protected daemons.
> If you do that, please don't give up troubleshooting!  Your situation
> should work, and if it doesn't, we all want to figure out why. :)
>

This would be the quickie fix but the main reason I am rebuilding these
system is because they keep getting rootkit/hacked

I am under pressure from above to lock these things down.

Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens@xxxxxxxxx
509-927-Ptera