Arthur Stephens wrote:
----- Original Message -----
From: "Karsten Wade" <kwade@xxxxxxxxxx>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list@xxxxxxxxxx>
Sent: Tuesday, November 30, 2004 5:03 AM
Subject: Re: httpd avc denied problem
On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
/var/www/, as defined in
/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different
/etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources
(targeted/src/policy), which comes from the
selinux-policy-targeted-sources directory. You shouldn't need that
unless you have to customize the policy, which doesn't sound necessary
yet.
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
Mine says the same...
But there is a
/etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and
httpd_runtime_t. httpd_log_t looks like the proper one to use.
But what puzzles me is why only this one log directory....all the others
like it work...
This is with httpd_unified set to true?
Yes actually mine says "active"
AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same
permissions? I'm not thinking the problem is regular UNIX permissions
because you got an AVC denial ... something is fishy.
ls -Z /var/www
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
arthurstephens.com
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
birdshield.com
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
cgi-bin
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t charlieh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
cvafoundation.org
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t davidh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
digitalcreations
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t jjakober
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t kodiaks
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
lindarosephoto.com
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
lwccspokane.org
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t pteraweb
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ptootie
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t punisher
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
spokanewines.com
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t stevefm
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t suetkr
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
tangleheart.com
drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t
wag1designs
Does it error if you change the type of the log files to httpd_log_t?
I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Issued the above command and then service httpd start
Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied {
append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
ino=552157 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Nov 30 13:31:29 webmail httpd: httpd startup failed
ls -Z /var/www/spokanewines.com/logs
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
Are you sure this error_log is the one represented by ino=552157???
Can you send in the avc: denied errors that you are getting? I can't
imagine how this would be a policy bug, but it's worth looking into.
- Karsten
EXAMPLES
/var/www/arthurstephens.com/logs
[root@webmail arthurstephens.com]# ls -alZ logs/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
/var/www/cvafoundation.org/logs
[root@webmail cvafoundation.org]# ls -alZ logs/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
But this one fails...
/var/www/spokanewines.com/logs
[root@webmail spokanewines.com]# ls -alZ logs
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list