Arthur Stephens wrote:
Ok that solved that problem but showed up another one. I have a folder under /var/log/httpd called /mail which I put logs messages that come from Squirrel mail httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed'
I look at the /var/log/httpd directory and I do see this folder I created is labeled differently [root@webmail ~]# ls -Z /var/log/httpd/ -rw-r--r-- root root system_u:object_r:httpd_log_t access_log -rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t error_log -rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1 drwxr-xr-x root root system_u:object_r:httpd_log_t mail -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_access_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log.1 -rw-r--r-- root root system_u:object_r:httpd_log_t ssl_request_log
And here is what I have in my custom.fc /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t /var/log/httpd/mail system_u:object_r:httpd_log_t
[root@webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root root:object_r:httpd_runtime_t error_log
After running fixfile relabel [root@webmail ~]# ls -Z /var/log/httpd/mail/ -rw-r--r-- root root system_u:object_r:httpd_log_t error_log
service httpd start httpd fails with this informative message... 'Unable to open logs' /var/log/messages 'httpd: httpd startup failed'
So I am write in thinking at this point the problem is no longer with
selinux?
I have no idea,
type setenforce 0 service httpd start
If this works, then the problem is SELinux, if not then it probably is not SELinux.
setenforce 0 turns off selinux protection. setenforce 1 turns it back on.
Arthur Stephens Sales Technician Ptera Wireless Internet astephens@xxxxxxxxx 509-927-Ptera
----- Original Message ----- From: "Daniel J Walsh" <dwalsh@xxxxxxxxxx>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list@xxxxxxxxxx>
Sent: Thursday, December 02, 2004 10:46 AM
Subject: Re: httpd avc denied problem
misc/customer.fcArthur Stephens wrote:
I installed the policy sources on my fedora core 3. :) Got to step one Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
There is no such file :( [root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/ distros.fc misc program types.fc [root@webmail ~]#
Ok create a file in the misc directory called custom.fc, file_context file is only created via the make file.
echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >>
Then rebuild policy
make load Now restorecon
--Arthur Stephens Sales Technician Ptera Wireless Internet astephens@xxxxxxxxx 509-927-Ptera
----- Original Message ----- From: "Karsten Wade" <kwade@xxxxxxxxxx>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list@xxxxxxxxxx>
Sent: Tuesday, November 30, 2004 2:01 PM
Subject: Re: httpd avc denied problem
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/* service httpd start
BTW, if this works, you'll want to do something to make the change permanent. Otherwise, the next running of restorecon will hose your configuration.
Two options jump to mind:
* Move the logs into a path that will receive httpd_log_t, i.e., /var/logs/httpd/
* Install the policy sources (yum install selinux-policy-targeted-sources), and do the following:
1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
2. Add this line: /var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make load'. This will build and load the new policy directly into memory.
4. If you now do restorecon, the /var/www/*/logs directories should get the proper context.
Be aware that if you make another change to SELinux, especially using system-config-securitylevel, the file /.autorelabel may get created. That triggers a relabeling on reboot, and may hose any manual customizations not fixed in policy.
- Karsten -- Karsten Wade, RHCE, Tech Writer a lemon is just a melon in disguise http://people.redhat.com/kwade/ gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
