Ok that solved that problem but showed up another one. I have a folder under /var/log/httpd called /mail which I put logs messages that come from Squirrel mail httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed' I look at the /var/log/httpd directory and I do see this folder I created is labeled differently [root@webmail ~]# ls -Z /var/log/httpd/ -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t error_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1 drwxr-xr-x root root system_u:object_r:httpd_log_t mail -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_access_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_request_log And here is what I have in my custom.fc /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail system_u:object_r:httpd_log_t [root@webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root root:object_r:httpd_runtime_t error_log After running fixfile relabel [root@webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root system_u:object_r:httpd_log_t error_log service httpd start httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed' So I am write in thinking at this point the problem is no longer with selinux? Arthur Stephens Sales Technician Ptera Wireless Internet astephens@xxxxxxxxx 509-927-Ptera ----- Original Message ----- From: "Daniel J Walsh" <dwalsh@xxxxxxxxxx> To: "Fedora SELinux support list for users & developers." <fedora-selinux-list@xxxxxxxxxx> Sent: Thursday, December 02, 2004 10:46 AM Subject: Re: httpd avc denied problem > Arthur Stephens wrote: > > >I installed the policy sources on my fedora core 3. :) > >Got to step one > >Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts > > > >There is no such file :( > >[root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ > >distros.fc misc program types.fc > >[root@webmail ~]# > > > > > Ok create a file in the misc directory called custom.fc, file_context > file is only created via the make file. > > echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >> misc/customer.fc > Then rebuild policy > > make load > Now restorecon > > > > >Arthur Stephens > >Sales Technician > >Ptera Wireless Internet > >astephens@xxxxxxxxx > >509-927-Ptera > > > >----- Original Message ----- > >From: "Karsten Wade" <kwade@xxxxxxxxxx> > >To: "Fedora SELinux support list for users & developers." > ><fedora-selinux-list@xxxxxxxxxx> > >Sent: Tuesday, November 30, 2004 2:01 PM > >Subject: Re: httpd avc denied problem > > > > > > > > > >>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote: > >> > >> > >> > >>> chcon -R -t httpd_log_t /var/www/*/logs/* > >>> service httpd start > >>> > >>> > >>BTW, if this works, you'll want to do something to make the change > >>permanent. Otherwise, the next running of restorecon will hose your > >>configuration. > >> > >>Two options jump to mind: > >> > >>* Move the logs into a path that will receive httpd_log_t, i.e., > >>/var/logs/httpd/ > >> > >>* Install the policy sources (yum install > >>selinux-policy-targeted-sources), and do the following: > >> > >>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts > >> > >>2. Add this line: > >>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t > >> > >>Feel free to correct my regexp, but I think it's right. :) > >> > >>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make > >>load'. This will build and load the new policy directly into memory. > >> > >>4. If you now do restorecon, the /var/www/*/logs directories should get > >>the proper context. > >> > >>Be aware that if you make another change to SELinux, especially using > >>system-config-securitylevel, the file /.autorelabel may get created. > >>That triggers a relabeling on reboot, and may hose any manual > >>customizations not fixed in policy. > >> > >>- Karsten > >>-- > >>Karsten Wade, RHCE, Tech Writer > >>a lemon is just a melon in disguise > >>http://people.redhat.com/kwade/ > >>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41 > >> > >>-- > >>fedora-selinux-list mailing list > >>fedora-selinux-list@xxxxxxxxxx > >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list > >> > >> > > > >-- > >fedora-selinux-list mailing list > >fedora-selinux-list@xxxxxxxxxx > >http://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > > > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > http://www.redhat.com/mailman/listinfo/fedora-selinux-list
