httpd avc denied problem

Karsten Wade kwade at redhat.com
Mon Nov 29 23:11:20 UTC 2004 

On Mon, 2004-11-29 at 12:54, Arthur Stephens wrote:
> >> I am new to SELinux and Fedora 3 - setting up a replacement server for
> the one that got hacked
> >> I transfered our websites over and discovered I had to have them all
> under /usr/www/
> 
> >>Who or what does tell you this should be this way? /usr/ is the wrong
> >>place.

This convention has been in place for a while, it's just more challengin
now to have Web files other than in /var/www/.

If you haven't seen this, it might help some more:

http://fedora.redhat.com/docs/selinux-apache-fc3/

Read on for some suggestions.  If you are still stuck, drop by
#fedora-selinux on irc.freenode.net.

> Ok I moved everything under /var/www..
> ran fixfiles
> changed everything under httpd.conf to point to /var/www/...
> I got the same error messages just different directories
> 
> Being desperate to get this working I copied the error_log from a directory
> that was working
> ran fixfiles

This should have worked if you ran 'fixfiles relabel'.  However,
'restorecon -R /var/www/' should achieve the same thing, but much more
quickly.  Still, that will just set the files to the file type set for
/var/www/, as defined in
/etc/selinux/targeted/src/policy/file_contexts/file_contexts:

/var/www(/.*)?                  system_u:object_r:httpd_sys_content_t

It looks as if the httpd policy needs the logs to be a different type:

allow  httpd_t  httpd_runtime_t : file  { create ioctl read getattr lock
write setattr append link unlink rename };
              ^^^^^^ <- that's what we want to see

e.g:

ls /var/log/httpd/ -Z
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    access_log
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    access_log.1
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    access_log.2
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    error_log
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    error_log.1
-rw-r--r--  root   root   root:object_r:httpd_runtime_t    error_log.2
...

You can try:

  chcon -R -t httpd_runtime_t /var/www/*/logs

However, this labeling will likely get wiped out the next time
restorecon or fixfiles relabel is run.

If your intention is to make the logs viewable via public HTTP, you
might try moving them to /var/log/httpd/ and then symlinking the files
to /var/www/*/logs.  The symlinks should be created with
httpd_sys_content_t, which is easily readable (just not neccesarily
writable or appendable) by httpd.  Running restorecon on the moved logs
should make it Just Work (TM).

> and got avc:  denied  { append }
> (13)Permission denied: httpd: could not open error log file
> /var/www/spokanewines.com/logs/error_log.
> Unable to open logs
> 
> [root at webmail ~]# cd /var/www/spokanewines.com/logs/
> [root at webmail logs]# ls -alZ
> drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t .
> drwxrwxrwx  root     root     system_u:object_r:httpd_sys_content_t ..
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r--  root     root     system_u:object_r:httpd_sys_content_t
> error_log
> 
> I tried to run
> system-config-securitylevel
> but there are no references to Boolean options for Apache HTTP
> just firewall options.

Which version of s-c-sl do you have?  AIUI, the SELinux tab is
automatically populated depending on what is in your policy.  I have
1.4.18-2, fwiw.

Regardless, you can set the Booleans on the command line:

  setsebool httpd_unified true

That is a troubleshooting Boolean you can try.  Still, your setup should
work, if it's just httpd trying to append to the httpd logs, and they
are labeled correctly and/or in the correct location.  Still, I'm 
certain that httpd_t can't append to a file that is set to
httpd_sys_content_t unless httpd_unified is enabled.  This makes me
think that your log files are still labeled incorrectly.

If all of this fails, you can turn off the SELinux protection for just
Apache by using:

  setsebool httpd_disable_trans true

That will disable the transition for httpd, so it will run in the
unconfined_t domain like the rest of the non-SELinux protected daemons. 
If you do that, please don't give up troubleshooting!  Your situation
should work, and if it doesn't, we all want to figure out why. :)

- Karsten
-- 
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41

More information about the selinux mailing list