9:09 a.m.
Hi,
Wishing everyone a happy new year!
Can anyone point me in the right direction with a problem im having
with selinux and httpd please?
I have created a virtual host and have created the directory structure:
/vhosts/domain.tld/htdocs # Document root
/vhosts/domain.tld/logs # Log root
/vhosts/domain.tld/private # Private root
I have set the contexts and they display as:
[root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@server htdocs]# ls -laZ /vhosts/domain.tld/logs
drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
so to me this looks like it has the right contexts.
when i try to start apache i get the following error:
[root@server htdocs]# /sbin/service httpd start
Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does
not exist
httpd: Could not reliably determine the server's fully qualified
domain name, using ::1 for ServerName
[FAILED]
now i know the directory exists, which confuses me. below are the error logs:
[root@server htdocs]# tail /var/log/httpd/error_log
(13)Permission denied: httpd: could not open error log file
/wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log.
Unable to open logs
Can anyone help as i am really stuck.
Thankyou in advance!
Tony
9:41 a.m.
tony(a)specialistdevelopment.com wrote:
Hi,
Wishing everyone a happy new year!
Can anyone point me in the right direction with a problem im having
with selinux and httpd please?
I have created a virtual host and have created the directory structure:
/vhosts/domain.tld/htdocs # Document root
/vhosts/domain.tld/logs # Log root
/vhosts/domain.tld/private # Private root
I have set the contexts and they display as:
[root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
index.html
[root@server htdocs]# ls -laZ /vhosts/domain.tld/logs
drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
so to me this looks like it has the right contexts.
when i try to start apache i get the following error:
[root@server htdocs]# /sbin/service httpd start
Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does
not exist
httpd: Could not reliably determine the server's fully qualified
domain name, using ::1 for ServerName
[FAILED]
now i know the directory exists, which confuses me. below are the error
logs:
[root@server htdocs]# tail /var/log/httpd/error_log
(13)Permission denied: httpd: could not open error log file
/wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/erro
r.l
og.
Unable to open logs
Can anyone help as i am really stuck.
Thankyou in advance!
Tony
I have found that apache needs at least search access to _all_ the
directories in the hierarchy - so your /vhosts and your
/vhosts/domain.tld directories both need to be some type that apache can
search.
Also check /var/log/audit/audit.log (or ausearch) for the precise denial
message.
Moray.
"To err is human. To purr, feline"
10:09 a.m.
On 01/04/2010 10:09 AM, tony(a)specialistdevelopment.com wrote:
Hi,
Wishing everyone a happy new year!
Can anyone point me in the right direction with a problem im having with
selinux and httpd please?
I have created a virtual host and have created the directory structure:
/vhosts/domain.tld/htdocs # Document root
/vhosts/domain.tld/logs # Log root
/vhosts/domain.tld/private # Private root
I have set the contexts and they display as:
[root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
index.html
[root@server htdocs]# ls -laZ /vhosts/domain.tld/logs
drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 .
drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
so to me this looks like it has the right contexts.
when i try to start apache i get the following error:
[root@server htdocs]# /sbin/service httpd start
Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does
not exist
httpd: Could not reliably determine the server's fully qualified domain
name, using ::1 for ServerName
[FAILED]
now i know the directory exists, which confuses me. below are the error
logs:
[root@server htdocs]# tail /var/log/httpd/error_log
(13)Permission denied: httpd: could not open error log file
/wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log.
Unable to open logs
Can anyone help as i am really stuck.
Thankyou in advance!
Tony
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
# semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?'
# restorecon -R -v /vhosts
Should fix the problem
You need to label every file/dir that httpd will access with a label it can read or
search.
11:27 p.m.
the exact log of the avc denial is needed to analyse the problem.but
assuming it as a denial due to the context.either you can do as
dwalsh said or alternatively ,you can change the context of the file
and directory to httpd_sys_content_t and put the file name and
directory name in /etc/selinux/restorecond.conf and restart the
restorecond service.
so that even when you accidentally delete the file you can get the
correct context on recreating it.
On 1/4/10, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
On 01/04/2010 10:09 AM, tony(a)specialistdevelopment.com wrote:
> Hi,
>
> Wishing everyone a happy new year!
>
> Can anyone point me in the right direction with a problem im having with
> selinux and httpd please?
>
> I have created a virtual host and have created the directory structure:
>
> /vhosts/domain.tld/htdocs # Document root
> /vhosts/domain.tld/logs # Log root
> /vhosts/domain.tld/private # Private root
>
> I have set the contexts and they display as:
>
> [root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
> drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
> -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
> index.html
>
> [root@server htdocs]# ls -laZ /vhosts/domain.tld/logs
> drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 .
> drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
>
> so to me this looks like it has the right contexts.
>
> when i try to start apache i get the following error:
>
> [root@server htdocs]# /sbin/service httpd start
> Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does
> not exist
> httpd: Could not reliably determine the server's fully qualified domain
> name, using ::1 for ServerName
> [FAILED]
>
> now i know the directory exists, which confuses me. below are the error
> logs:
>
> [root@server htdocs]# tail /var/log/httpd/error_log
> (13)Permission denied: httpd: could not open error log file
> /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log.
>
> Unable to open logs
>
> Can anyone help as i am really stuck.
>
> Thankyou in advance!
>
> Tony
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
# semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?'
# restorecon -R -v /vhosts
Should fix the problem
You need to label every file/dir that httpd will access with a label it can
read or search.
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
s.saiganesh
“The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong
One. 'Do it yourself'. Yes, that's it
9:17 a.m.
Thanks for your help, all sorted now :)
Tony
Quoting sai ganesh <ganesai(a)gmail.com>:
the exact log of the avc denial is needed to analyse the
problem.but
assuming it as a denial due to the context.either you can do as
dwalsh said or alternatively ,you can change the context of the file
and directory to httpd_sys_content_t and put the file name and
directory name in /etc/selinux/restorecond.conf and restart the
restorecond service.
so that even when you accidentally delete the file you can get the
correct context on recreating it.
On 1/4/10, Daniel J Walsh <dwalsh(a)redhat.com> wrote:
> On 01/04/2010 10:09 AM, tony(a)specialistdevelopment.com wrote:
>> Hi,
>>
>> Wishing everyone a happy new year!
>>
>> Can anyone point me in the right direction with a problem im having with
>> selinux and httpd please?
>>
>> I have created a virtual host and have created the directory structure:
>>
>> /vhosts/domain.tld/htdocs # Document root
>> /vhosts/domain.tld/logs # Log root
>> /vhosts/domain.tld/private # Private root
>>
>> I have set the contexts and they display as:
>>
>> [root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 .
>> drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
>> -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0
>> index.html
>>
>> [root@server htdocs]# ls -laZ /vhosts/domain.tld/logs
>> drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 .
>> drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
>>
>> so to me this looks like it has the right contexts.
>>
>> when i try to start apache i get the following error:
>>
>> [root@server htdocs]# /sbin/service httpd start
>> Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does
>> not exist
>> httpd: Could not reliably determine the server's fully qualified domain
>> name, using ::1 for ServerName
>> [FAILED]
>>
>> now i know the directory exists, which confuses me. below are the error
>> logs:
>>
>> [root@server htdocs]# tail /var/log/httpd/error_log
>> (13)Permission denied: httpd: could not open error log file
>> /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log.
>>
>> Unable to open logs
>>
>> Can anyone help as i am really stuck.
>>
>> Thankyou in advance!
>>
>> Tony
>>
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
> # semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?'
> # restorecon -R -v /vhosts
>
> Should fix the problem
>
> You need to label every file/dir that httpd will access with a label it can
> read or search.
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
--
s.saiganesh
“The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong
One. 'Do it yourself'. Yes, that's it
5222
days inactive
5225
days old
selinux@lists.fedoraproject.org
4 comments
4 participants
participants (4)
-
Anthony Davis -
Daniel J Walsh -
Moray Henderson -
sai ganesh