Re: httpd avc denied problem

Thursday, 2 December 2004

Ok that solved that problem but showed up another one.
I have a folder under /var/log/httpd
called /mail
which I put logs messages that come from Squirrel mail
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'

I look at the /var/log/httpd directory and I do see this folder I created is
labeled differently
[root@webmail ~]# ls -Z /var/log/httpd/
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    access_log.1
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log.1
drwxr-xr-x  root     root    system_u:object_r:httpd_log_t        mail
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_access_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    ssl_error_log
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_error_log.1
-rw-r--r--  root     root     system_u:object_r:httpd_log_t
ssl_request_log

And here is what I have in my custom.fc
/var/www/.*/logs(/.*)?            system_u:object_r:httpd_log_t
/var/log/httpd/mail(/.*)?               system_u:object_r:httpd_log_t
/var/log/httpd/mail                     system_u:object_r:httpd_log_t

[root@webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r--  root     root     root:object_r:httpd_runtime_t    error_log

After running fixfile relabel
[root@webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r--  root     root     system_u:object_r:httpd_log_t    error_log

service httpd start
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'

So I am write in thinking at this point the problem is no longer with
selinux?

Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera

----- Original Message ----- 
From: "Daniel J Walsh" <dwalsh(a)redhat.com&gt;
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com&gt;
Sent: Thursday, December 02, 2004 10:46 AM
Subject: Re: httpd avc denied problem

...
 Arthur Stephens wrote:

 >I installed the policy sources on my fedora core 3. :)
 >Got to step one
 >Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
 >
 >There is no such file  :(
 >[root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
 >distros.fc  misc  program  types.fc
 >[root@webmail ~]#
 >
 >
 Ok create a file in the misc directory called custom.fc, file_context
 file is only created via the make file.

 echo "/var/www/.*/logs(/.*)?            system_u:object_r:httpd_log_t" >>
misc/customer.fc
...
 Then rebuild policy

 make load
 Now restorecon

 >Arthur Stephens
 >Sales Technician
 >Ptera Wireless Internet
 &gt;astephens(a)ptera.net
 >509-927-Ptera
 >
 >----- Original Message ----- 
 >From: "Karsten Wade" <kwade(a)redhat.com&gt;
 >To: "Fedora SELinux support list for users & developers."
 &gt;&lt;fedora-selinux-list(a)redhat.com&gt;
 >Sent: Tuesday, November 30, 2004 2:01 PM
 >Subject: Re: httpd avc denied problem
 >
 >
 >
 >
 >>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
 >>
 >>
 >>
 >>>  chcon -R -t httpd_log_t /var/www/*/logs/*
 >>>  service httpd start
 >>>
 >>>
 >>BTW, if this works, you'll want to do something to make the change
 >>permanent.  Otherwise, the next running of restorecon will hose your
 >>configuration.
 >>
 >>Two options jump to mind:
 >>
 >>* Move the logs into a path that will receive httpd_log_t, i.e.,
 >>/var/logs/httpd/
 >>
 >>* Install the policy sources (yum install
 >>selinux-policy-targeted-sources), and do the following:
 >>
 >>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
 >>
 >>2. Add this line:
 >>/var/www/.*/logs(/.*)?            system_u:object_r:httpd_log_t
 >>
 >>Feel free to correct my regexp, but I think it's right. :)
 >>
 >>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
 >>load'.  This will build and load the new policy directly into memory.
 >>
 >>4. If you now do restorecon, the /var/www/*/logs directories should get
 >>the proper context.
 >>
 >>Be aware that if you make another change to SELinux, especially using
 >>system-config-securitylevel, the file /.autorelabel may get created.
 >>That triggers a relabeling on reboot, and may hose any manual
 >>customizations not fixed in policy.
 >>
 >>- Karsten
 >>-- 
 >>Karsten Wade, RHCE, Tech Writer
 >>a lemon is just a melon in disguise
 >>http://people.redhat.com/kwade/
 >>gpg fingerprint: 2680 DBFD D968 3141 0115  5F1B D992 0E06 AD0E 0C41
 >>
 >>--
 >>fedora-selinux-list mailing list
 &gt;&gt;fedora-selinux-list(a)redhat.com
 >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
 >>
 >>
 >
 >--
 >fedora-selinux-list mailing list
 &gt;fedora-selinux-list(a)redhat.com
 >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
 >
 >

 --
 fedora-selinux-list mailing list
 fedora-selinux-list(a)redhat.com
 http://www.redhat.com/mailman/listinfo/fedora-selinux-list 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Re: httpd avc denied problem