Re: Move httpd root, selinux help

[tony@xxxxxxxxxxxxxxxxxxxxxxxxx]

Thanks for your help, all sorted now :)

Tony

Quoting sai ganesh <ganesai@xxxxxxxxx>:

> the exact log  of the  avc denial is needed to analyse the problem.but
> assuming it as a denial due to the context.either you can do as
> dwalsh said or alternatively ,you can change the context of the file
> and directory to httpd_sys_content_t and put the file name and
> directory name in /etc/selinux/restorecond.conf and restart the
> restorecond service.
> so that even when you accidentally delete the file you can get the
> correct context on recreating it.
>
>
> On 1/4/10, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> > On 01/04/2010 10:09 AM, tony@xxxxxxxxxxxxxxxxxxxxxxxxx wrote:
> > > Hi,
> > >
> > > Wishing everyone a happy new year!
> > >
> > > Can anyone point me in the right direction with a problem im having with
> > > selinux and httpd please?
> > >
> > > I have created a virtual host and have created the directory structure:
> > >
> > > /vhosts/domain.tld/htdocs    # Document root
> > > /vhosts/domain.tld/logs      # Log root
> > > /vhosts/domain.tld/private   # Private root
> > >
> > > I have set the contexts and they display as:
> > >
> > > [root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs
> > > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
> > > drwxr-xr-x. root root unconfined_u:object_r:file_t:s0  ..
> > > -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
> > > index.html
> > >
> > > [root@server htdocs]# ls -laZ /vhosts/domain.tld/logs
> > > drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 .
> > > drwxr-xr-x. root root unconfined_u:object_r:file_t:s0  ..
> > >
> > > so to me this looks like it has the right contexts.
> > >
> > > when i try to start apache i get the following error:
> > >
> > > [root@server htdocs]# /sbin/service httpd start
> > > Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does
> > > not exist
> > > httpd: Could not reliably determine the server's fully qualified domain
> > > name, using ::1 for ServerName
> > >                                                            [FAILED]
> > >
> > > now i know the directory exists, which confuses me. below are the error
> > > logs:
> > >
> > > [root@server htdocs]# tail /var/log/httpd/error_log
> > > (13)Permission denied: httpd: could not open error log file
> > > /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log.
> > >
> > > Unable to open logs
> > >
> > > Can anyone help as i am really stuck.
> > >
> > > Thankyou in advance!
> > >
> > > Tony
> > >
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list@xxxxxxxxxx
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > # semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?'
> > # restorecon -R -v /vhosts
> >
> > Should fix the problem
> >
> > You need to label every file/dir  that httpd will access with a label it can
> > read or search.
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list@xxxxxxxxxx
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
> --
> s.saiganesh
>  “The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong
> One. 'Do it yourself'. Yes, that's it


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list