Ok that solved that problem but showed up another one.
I have a folder under /var/log/httpd
called /mail
which I put logs messages that come from Squirrel mail
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'
I look at the /var/log/httpd directory and I do see this folder I created is
labeled differently
[root@webmail ~]# ls -Z /var/log/httpd/
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1
drwxr-xr-x root root system_u:object_r:httpd_log_t mail
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_error_log.1
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_request_log
And here is what I have in my custom.fc
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
/var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t
/var/log/httpd/mail system_u:object_r:httpd_log_t
[root@webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r-- root root root:object_r:httpd_runtime_t error_log
After running fixfile relabel
[root@webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
service httpd start
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'
So I am write in thinking at this point the problem is no longer with
selinux?
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Thursday, December 02, 2004 10:46 AM
Subject: Re: httpd avc denied problem
Arthur Stephens wrote:
>I installed the policy sources on my fedora core 3. :)
>Got to step one
>Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>
>There is no such file :(
>[root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
>distros.fc misc program types.fc
>[root@webmail ~]#
>
>
Ok create a file in the misc directory called custom.fc, file_context
file is only created via the make file.
echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >>
misc/customer.fc
Then rebuild policy
make load
Now restorecon
>Arthur Stephens
>Sales Technician
>Ptera Wireless Internet
>astephens(a)ptera.net
>509-927-Ptera
>
>----- Original Message -----
>From: "Karsten Wade" <kwade(a)redhat.com>
>To: "Fedora SELinux support list for users & developers."
><fedora-selinux-list(a)redhat.com>
>Sent: Tuesday, November 30, 2004 2:01 PM
>Subject: Re: httpd avc denied problem
>
>
>
>
>>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
>>
>>
>>
>>> chcon -R -t httpd_log_t /var/www/*/logs/*
>>> service httpd start
>>>
>>>
>>BTW, if this works, you'll want to do something to make the change
>>permanent. Otherwise, the next running of restorecon will hose your
>>configuration.
>>
>>Two options jump to mind:
>>
>>* Move the logs into a path that will receive httpd_log_t, i.e.,
>>/var/logs/httpd/
>>
>>* Install the policy sources (yum install
>>selinux-policy-targeted-sources), and do the following:
>>
>>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>>
>>2. Add this line:
>>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
>>
>>Feel free to correct my regexp, but I think it's right. :)
>>
>>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
>>load'. This will build and load the new policy directly into memory.
>>
>>4. If you now do restorecon, the /var/www/*/logs directories should get
>>the proper context.
>>
>>Be aware that if you make another change to SELinux, especially using
>>system-config-securitylevel, the file /.autorelabel may get created.
>>That triggers a relabeling on reboot, and may hose any manual
>>customizations not fixed in policy.
>>
>>- Karsten
>>--
>>Karsten Wade, RHCE, Tech Writer
>>a lemon is just a melon in disguise
>>http://people.redhat.com/kwade/
>>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list(a)redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list(a)redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list