Re: httpd avc denied problem

"Arthur Stephens" <astephens@xxxxxxxxx> · Tue, 30 Nov 2004 11:41:52 -0800

opps.. I forgot to check /var/log/httpd/error_log
Before
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
After
(13)Permission denied: httpd: could not open error log file
/var/www/tangleheart.com/logs/error_log.
Unable to open logs

Looks like it just switched to another directory....hmmmm

----- Original Message ----- 
From: "Daniel J Walsh" <dwalsh@xxxxxxxxxx>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list@xxxxxxxxxx>
Sent: Tuesday, November 30, 2004 11:25 AM
Subject: Re: httpd avc denied problem

> Arthur Stephens wrote:
>
> >----- Original Message ----- 
> >From: "Karsten Wade" <kwade@xxxxxxxxxx>
> >To: "Fedora SELinux support list for users & developers."
> ><fedora-selinux-list@xxxxxxxxxx>
> >Sent: Tuesday, November 30, 2004 5:03 AM
> >Subject: Re: httpd avc denied problem
> >
> >
> >
> >
> >>On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> >>
> >>
> >>>>/var/www/, as defined in
> >>>>/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
> >>>>
> >>>>
> >>>OK Mine is  located someplace different
> >>> /etc/selinux/targeted/context/files/file_contexts
> >>>
> >>>
> >>Yeah, it's the same file as the one in the policy sources
> >>(targeted/src/policy), which comes from the
> >>selinux-policy-targeted-sources directory.  You shouldn't need that
> >>unless you have to customize the policy, which doesn't sound necessary
> >>yet.
> >>
> >>
> >>
> >>>>/var/www(/.*)?                  system_u:object_r:httpd_sys_content_t
> >>>>
> >>>>It looks as if the httpd policy needs the logs to be a different type:
> >>>>
> >>>>
> >>>Mine says the same...
> >>>But there is a
> >>>/etc/httpd/logs                        system_u:object_r:httpd_log_t
> >>>
> >>>
> >>And this:
> >>
> >>/var/log/httpd(/.*)?            system_u:object_r:httpd_log_t
> >>
> >>I suppose either would work, since httpd_t can append to httpd_log_t and
> >>httpd_runtime_t.  httpd_log_t looks like the proper one to use.
> >>
> >>
> >>
> >>>But what puzzles me is why only this one log directory....all the
others
> >>>like it work...
> >>>
> >>>
> >>This is with httpd_unified set to true?
> >>
> >>
> >
> >Yes actually mine says "active"
> >
> >AIUI, it must be set to true,
> >
> >
> >>if httpd_t can append to httpd_sys_content_t.
> >>
> >>For 'ls -Z /var/www' are all the directories essentially the same
> >>permissions?  I'm not thinking the problem is regular UNIX permissions
> >>because you got an AVC denial ... something is fishy.
> >>
> >>
> >
> >ls -Z /var/www
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t aha
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >arthurstephens.com
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >birdshield.com
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_script_exec_t
> >cgi-bin
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
charlieh
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> >cvafoundation.org
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
davidh
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> >digitalcreations
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t error
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t html
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t icons
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
jjakober
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
kodiaks
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >lindarosephoto.com
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >lwccspokane.org
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
manual
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
pteraweb
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
ptootie
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
punisher
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
> >spokanewines.com
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
stevefm
> >drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t
suetkr
> >drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t
> >tangleheart.com
> >drwxr-xr-x  webalize root     system_u:object_r:httpd_sys_content_t usage
> >drwxrwxrwx  apache   apache   system_u:object_r:httpd_sys_content_t
> >wag1designs
> >
> >
> >
> >>Does it error if you change the type of the log files to httpd_log_t?
> >>I.e.,
> >>
> >>  chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
> >>
> >>
> >
> >Issued the above command and then service httpd start
> >
> >Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc:  denied  {
> >append } for  pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
> >ino=552157 scontext=root:system_r:httpd_t
> >tcontext=system_u:object_r:httpd_sys_content_t tclass=file
> >Nov 30 13:31:29 webmail httpd: httpd startup failed
> >
> >ls -Z /var/www/spokanewines.com/logs
> >-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log
> >-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log
> >
> >
>
> Are you sure this error_log is the one represented by  ino=552157???
>
> >
> >
> >>Can you send in the avc:  denied errors that you are getting?  I can't
> >>imagine how this would be a policy bug, but it's worth looking into.
> >>
> >>- Karsten
> >>
> >>
> >>>EXAMPLES
> >>>/var/www/arthurstephens.com/logs
> >>>[root@webmail arthurstephens.com]# ls -alZ logs/
> >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>/var/www/cvafoundation.org/logs
> >>>[root@webmail cvafoundation.org]# ls -alZ logs/
> >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>But this one fails...
> >>>/var/www/spokanewines.com/logs
> >>>[root@webmail spokanewines.com]# ls -alZ logs
> >>>drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>
> >>-- 
> >>Karsten Wade, RHCE, Tech Writer
> >>a lemon is just a melon in disguise
> >>http://people.redhat.com/kwade/
> >>gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41
> >>
> >>--
> >>fedora-selinux-list mailing list
> >>fedora-selinux-list@xxxxxxxxxx
> >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>
> >>
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list@xxxxxxxxxx
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list