2:54 p.m.
> I am new to SELinux and Fedora 3 - setting up a replacement
server for
the one that got hacked
> I transfered our websites over and discovered I had to have them
all
under /usr/www/
>Who or what does tell you this should be this way? /usr/ is the
wrong
>place.
Ok I moved everything under /var/www..
ran fixfiles
changed everything under httpd.conf to point to /var/www/...
I got the same error messages just different directories
Being desperate to get this working I copied the error_log from a directory
that was working
ran fixfiles
and got avc: denied { append }
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
[root@webmail ~]# cd /var/www/spokanewines.com/logs/
[root@webmail logs]# ls -alZ
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
I tried to run
system-config-securitylevel
but there are no references to Boolean options for Apache HTTP
just firewall options.
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
----- Original Message -----
From: "Alexander Dalloz" <ad+lists(a)uni-x.org>
To: "For users of Fedora Core releases" <fedora-list(a)redhat.com>
Sent: Monday, November 29, 2004 11:25 AM
Subject: Re: httpd avc denied problem
--
fedora-list mailing list
fedora-list(a)redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
5:11 p.m.
New subject: httpd avc denied problem
On Mon, 2004-11-29 at 12:54, Arthur Stephens wrote:
>> I am new to SELinux and Fedora 3 - setting up a replacement
server for
the one that got hacked
>> I transfered our websites over and discovered I had to have them all
under /usr/www/
>>Who or what does tell you this should be this way? /usr/ is the wrong
>>place.
This convention has been in place for a while, it's just more challengin
now to have Web files other than in /var/www/.
If you haven't seen this, it might help some more:
http://fedora.redhat.com/docs/selinux-apache-fc3/
Read on for some suggestions. If you are still stuck, drop by
#fedora-selinux on irc.freenode.net.
Ok I moved everything under /var/www..
ran fixfiles
changed everything under httpd.conf to point to /var/www/...
I got the same error messages just different directories
Being desperate to get this working I copied the error_log from a directory
that was working
ran fixfiles
This should have worked if you ran 'fixfiles relabel'. However,
'restorecon -R /var/www/' should achieve the same thing, but much more
quickly. Still, that will just set the files to the file type set for
/var/www/, as defined in
/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
allow httpd_t httpd_runtime_t : file { create ioctl read getattr lock
write setattr append link unlink rename };
^^^^^^ <- that's what we want to see
e.g:
ls /var/log/httpd/ -Z
-rw-r--r-- root root root:object_r:httpd_runtime_t access_log
-rw-r--r-- root root root:object_r:httpd_runtime_t access_log.1
-rw-r--r-- root root root:object_r:httpd_runtime_t access_log.2
-rw-r--r-- root root root:object_r:httpd_runtime_t error_log
-rw-r--r-- root root root:object_r:httpd_runtime_t error_log.1
-rw-r--r-- root root root:object_r:httpd_runtime_t error_log.2
...
You can try:
chcon -R -t httpd_runtime_t /var/www/*/logs
However, this labeling will likely get wiped out the next time
restorecon or fixfiles relabel is run.
If your intention is to make the logs viewable via public HTTP, you
might try moving them to /var/log/httpd/ and then symlinking the files
to /var/www/*/logs. The symlinks should be created with
httpd_sys_content_t, which is easily readable (just not neccesarily
writable or appendable) by httpd. Running restorecon on the moved logs
should make it Just Work (TM).
and got avc: denied { append }
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
[root@webmail ~]# cd /var/www/spokanewines.com/logs/
[root@webmail logs]# ls -alZ
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
I tried to run
system-config-securitylevel
but there are no references to Boolean options for Apache HTTP
just firewall options.
Which version of s-c-sl do you have? AIUI, the SELinux tab is
automatically populated depending on what is in your policy. I have
1.4.18-2, fwiw.
Regardless, you can set the Booleans on the command line:
setsebool httpd_unified true
That is a troubleshooting Boolean you can try. Still, your setup should
work, if it's just httpd trying to append to the httpd logs, and they
are labeled correctly and/or in the correct location. Still, I'm
certain that httpd_t can't append to a file that is set to
httpd_sys_content_t unless httpd_unified is enabled. This makes me
think that your log files are still labeled incorrectly.
If all of this fails, you can turn off the SELinux protection for just
Apache by using:
setsebool httpd_disable_trans true
That will disable the transition for httpd, so it will run in the
unconfined_t domain like the rest of the non-SELinux protected daemons.
If you do that, please don't give up troubleshooting! Your situation
should work, and if it doesn't, we all want to figure out why. :)
- Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
6:53 p.m.
New subject: httpd avc denied problem
If you haven't seen this, it might help some more:
I was here but nothing there explained what was going on.
/var/www/, as defined in
/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different
/etc/selinux/targeted/context/files/file_contexts
/var/www(/.*)? system_u:object_r:httpd_sys_content_t
It looks as if the httpd policy needs the logs to be a different type:
Mine says the same...
But there is a
/etc/httpd/logs system_u:object_r:httpd_log_t
But what puzzles me is why only this one log directory....all the others
like it work...
EXAMPLES
/var/www/arthurstephens.com/logs
[root@webmail arthurstephens.com]# ls -alZ logs/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
/var/www/cvafoundation.org/logs
[root@webmail cvafoundation.org]# ls -alZ logs/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
But this one fails...
/var/www/spokanewines.com/logs
[root@webmail spokanewines.com]# ls -alZ logs
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
If all of this fails, you can turn off the SELinux protection for
just
Apache by using:
setsebool httpd_disable_trans true
That will disable the transition for httpd, so it will run in the
unconfined_t domain like the rest of the non-SELinux protected daemons.
If you do that, please don't give up troubleshooting! Your situation
should work, and if it doesn't, we all want to figure out why. :)
This would be the quickie fix but the main reason I am rebuilding these
system is because they keep getting rootkit/hacked
I am under pressure from above to lock these things down.
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
7:03 a.m.
New subject: httpd avc denied problem
On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> /var/www/, as defined in
> /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
OK Mine is located someplace different
/etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources
(targeted/src/policy), which comes from the
selinux-policy-targeted-sources directory. You shouldn't need that
unless you have to customize the policy, which doesn't sound necessary
yet.
> /var/www(/.*)?
system_u:object_r:httpd_sys_content_t
>
> It looks as if the httpd policy needs the logs to be a different type:
Mine says the same...
But there is a
/etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and
httpd_runtime_t. httpd_log_t looks like the proper one to use.
But what puzzles me is why only this one log directory....all the
others
like it work...
This is with httpd_unified set to true? AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same
permissions? I'm not thinking the problem is regular UNIX permissions
because you got an AVC denial ... something is fishy.
Does it error if you change the type of the log files to httpd_log_t?
I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Can you send in the avc: denied errors that you are getting? I can't
imagine how this would be a policy bug, but it's worth looking into.
- Karsten
EXAMPLES
/var/www/arthurstephens.com/logs
[root@webmail arthurstephens.com]# ls -alZ logs/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
/var/www/cvafoundation.org/logs
[root@webmail cvafoundation.org]# ls -alZ logs/
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
But this one fails...
/var/www/spokanewines.com/logs
[root@webmail spokanewines.com]# ls -alZ logs
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
access_log
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
error_log
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
1:02 p.m.
New subject: httpd avc denied problem
----- Original Message -----
From: "Karsten Wade" <kwade(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Tuesday, November 30, 2004 5:03 AM
Subject: Re: httpd avc denied problem
On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> > /var/www/, as defined in
> > /etc/selinux/targeted/src/policy/file_contexts/file_contexts:
>
> OK Mine is located someplace different
> /etc/selinux/targeted/context/files/file_contexts
Yeah, it's the same file as the one in the policy sources
(targeted/src/policy), which comes from the
selinux-policy-targeted-sources directory. You shouldn't need that
unless you have to customize the policy, which doesn't sound necessary
yet.
> > /var/www(/.*)? system_u:object_r:httpd_sys_content_t
> >
> > It looks as if the httpd policy needs the logs to be a different type:
>
> Mine says the same...
> But there is a
> /etc/httpd/logs system_u:object_r:httpd_log_t
And this:
/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
I suppose either would work, since httpd_t can append to httpd_log_t and
httpd_runtime_t. httpd_log_t looks like the proper one to use.
> But what puzzles me is why only this one log directory....all the others
> like it work...
This is with httpd_unified set to true?
Yes actually mine says "active"
AIUI, it must be set to true,
if httpd_t can append to httpd_sys_content_t.
For 'ls -Z /var/www' are all the directories essentially the same
permissions? I'm not thinking the problem is regular UNIX permissions
because you got an AVC denial ... something is fishy.
ls -Z /var/www
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
arthurstephens.com
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
birdshield.com
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
cgi-bin
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t charlieh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
cvafoundation.org
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t davidh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
digitalcreations
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t jjakober
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t kodiaks
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
lindarosephoto.com
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
lwccspokane.org
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t pteraweb
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ptootie
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t punisher
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
spokanewines.com
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t stevefm
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t suetkr
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
tangleheart.com
drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t
wag1designs
Does it error if you change the type of the log files to httpd_log_t?
I.e.,
chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
Issued the above command and then service httpd start
Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied {
append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
ino=552157 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Nov 30 13:31:29 webmail httpd: httpd startup failed
ls -Z /var/www/spokanewines.com/logs
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
Can you send in the avc: denied errors that you are getting? I
can't
imagine how this would be a policy bug, but it's worth looking into.
- Karsten
> EXAMPLES
> /var/www/arthurstephens.com/logs
> [root@webmail arthurstephens.com]# ls -alZ logs/
> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> error_log
>
> /var/www/cvafoundation.org/logs
> [root@webmail cvafoundation.org]# ls -alZ logs/
> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> error_log
>
> But this one fails...
> /var/www/spokanewines.com/logs
> [root@webmail spokanewines.com]# ls -alZ logs
> drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> access_log
> -rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> error_log
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
1:25 p.m.
New subject: httpd avc denied problem
Arthur Stephens wrote:
----- Original Message -----
From: "Karsten Wade" <kwade(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Tuesday, November 30, 2004 5:03 AM
Subject: Re: httpd avc denied problem
>On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
>
>
>>>/var/www/, as defined in
>>>/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
>>>
>>>
>>OK Mine is located someplace different
>> /etc/selinux/targeted/context/files/file_contexts
>>
>>
>Yeah, it's the same file as the one in the policy sources
>(targeted/src/policy), which comes from the
>selinux-policy-targeted-sources directory. You shouldn't need that
>unless you have to customize the policy, which doesn't sound necessary
>yet.
>
>
>
>>>/var/www(/.*)? system_u:object_r:httpd_sys_content_t
>>>
>>>It looks as if the httpd policy needs the logs to be a different type:
>>>
>>>
>>Mine says the same...
>>But there is a
>>/etc/httpd/logs system_u:object_r:httpd_log_t
>>
>>
>And this:
>
>/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
>
>I suppose either would work, since httpd_t can append to httpd_log_t and
>httpd_runtime_t. httpd_log_t looks like the proper one to use.
>
>
>
>>But what puzzles me is why only this one log directory....all the others
>>like it work...
>>
>>
>This is with httpd_unified set to true?
>
>
Yes actually mine says "active"
AIUI, it must be set to true,
>if httpd_t can append to httpd_sys_content_t.
>
>For 'ls -Z /var/www' are all the directories essentially the same
>permissions? I'm not thinking the problem is regular UNIX permissions
>because you got an AVC denial ... something is fishy.
>
>
ls -Z /var/www
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
arthurstephens.com
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
birdshield.com
drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
cgi-bin
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t charlieh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
cvafoundation.org
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t davidh
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
digitalcreations
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t jjakober
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t kodiaks
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
lindarosephoto.com
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
lwccspokane.org
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t manual
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t pteraweb
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ptootie
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t punisher
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
spokanewines.com
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t stevefm
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t suetkr
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
tangleheart.com
drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t
wag1designs
>Does it error if you change the type of the log files to httpd_log_t?
>I.e.,
>
> chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
>
>
Issued the above command and then service httpd start
Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied {
append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
ino=552157 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
Nov 30 13:31:29 webmail httpd: httpd startup failed
ls -Z /var/www/spokanewines.com/logs
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
Are you sure this error_log is the one represented by ino=552157???
>Can you send in the avc: denied errors that you are getting? I can't
>imagine how this would be a policy bug, but it's worth looking into.
>
>- Karsten
>
>
>>EXAMPLES
>>/var/www/arthurstephens.com/logs
>>[root@webmail arthurstephens.com]# ls -alZ logs/
>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>access_log
>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>error_log
>>
>>/var/www/cvafoundation.org/logs
>>[root@webmail cvafoundation.org]# ls -alZ logs/
>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>access_log
>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>error_log
>>
>>But this one fails...
>>/var/www/spokanewines.com/logs
>>[root@webmail spokanewines.com]# ls -alZ logs
>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>access_log
>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
>>error_log
>>
>>
>--
>Karsten Wade, RHCE, Tech Writer
>a lemon is just a melon in disguise
>http://people.redhat.com/kwade/
>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list(a)redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
1:41 p.m.
New subject: httpd avc denied problem
opps.. I forgot to check /var/log/httpd/error_log
Before
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
After
(13)Permission denied: httpd: could not open error log file
/var/www/tangleheart.com/logs/error_log.
Unable to open logs
Looks like it just switched to another directory....hmmmm
----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Tuesday, November 30, 2004 11:25 AM
Subject: Re: httpd avc denied problem
Arthur Stephens wrote:
>----- Original Message -----
>From: "Karsten Wade" <kwade(a)redhat.com>
>To: "Fedora SELinux support list for users & developers."
><fedora-selinux-list(a)redhat.com>
>Sent: Tuesday, November 30, 2004 5:03 AM
>Subject: Re: httpd avc denied problem
>
>
>
>
>>On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
>>
>>
>>>>/var/www/, as defined in
>>>>/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
>>>>
>>>>
>>>OK Mine is located someplace different
>>> /etc/selinux/targeted/context/files/file_contexts
>>>
>>>
>>Yeah, it's the same file as the one in the policy sources
>>(targeted/src/policy), which comes from the
>>selinux-policy-targeted-sources directory. You shouldn't need that
>>unless you have to customize the policy, which doesn't sound necessary
>>yet.
>>
>>
>>
>>>>/var/www(/.*)? system_u:object_r:httpd_sys_content_t
>>>>
>>>>It looks as if the httpd policy needs the logs to be a different type:
>>>>
>>>>
>>>Mine says the same...
>>>But there is a
>>>/etc/httpd/logs system_u:object_r:httpd_log_t
>>>
>>>
>>And this:
>>
>>/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
>>
>>I suppose either would work, since httpd_t can append to httpd_log_t and
>>httpd_runtime_t. httpd_log_t looks like the proper one to use.
>>
>>
>>
>>>But what puzzles me is why only this one log directory....all the
others
>>>like it work...
>>>
>>>
>>This is with httpd_unified set to true?
>>
>>
>
>Yes actually mine says "active"
>
>AIUI, it must be set to true,
>
>
>>if httpd_t can append to httpd_sys_content_t.
>>
>>For 'ls -Z /var/www' are all the directories essentially the same
>>permissions? I'm not thinking the problem is regular UNIX permissions
>>because you got an AVC denial ... something is fishy.
>>
>>
>
>ls -Z /var/www
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>arthurstephens.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>birdshield.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
>cgi-bin
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
charlieh
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
>cvafoundation.org
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
davidh
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
>digitalcreations
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
jjakober
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
kodiaks
>drwxr-xr-x root root
system_u:object_r:httpd_sys_content_t
>lindarosephoto.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>lwccspokane.org
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
manual
>drwxr-xr-x root root
system_u:object_r:httpd_sys_content_t
pteraweb
>drwxr-xr-x root root
system_u:object_r:httpd_sys_content_t
ptootie
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
punisher
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
> >spokanewines.com
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
stevefm
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
suetkr
>drwxr-xr-x root root
system_u:object_r:httpd_sys_content_t
> >tangleheart.com
> >drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
> >drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t
> >wag1designs
> >
> >
> >
> >>Does it error if you change the type of the log files to httpd_log_t?
> >>I.e.,
> >>
> >> chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
> >>
> >>
> >
> >Issued the above command and then service httpd start
> >
> >Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied {
> >append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
> >ino=552157 scontext=root:system_r:httpd_t
> >tcontext=system_u:object_r:httpd_sys_content_t tclass=file
> >Nov 30 13:31:29 webmail httpd: httpd startup failed
> >
> >ls -Z /var/www/spokanewines.com/logs
> >-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
> >-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
> >
> >
>
> Are you sure this error_log is the one represented by ino=552157???
>
> >
> >
> >>Can you send in the avc: denied errors that you are getting? I can't
> >>imagine how this would be a policy bug, but it's worth looking into.
> >>
> >>- Karsten
> >>
> >>
> >>>EXAMPLES
> >>>/var/www/arthurstephens.com/logs
> >>>[root@webmail arthurstephens.com]# ls -alZ logs/
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>/var/www/cvafoundation.org/logs
> >>>[root@webmail cvafoundation.org]# ls -alZ logs/
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>But this one fails...
> >>>/var/www/spokanewines.com/logs
> >>>[root@webmail spokanewines.com]# ls -alZ logs
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>
> >>--
> >>Karsten Wade, RHCE, Tech Writer
> >>a lemon is just a melon in disguise
> >>http://people.redhat.com/kwade/
> >>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
> >>
> >>--
> >>fedora-selinux-list mailing list
> >>fedora-selinux-list(a)redhat.com
> >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>
> >>
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list(a)redhat.com
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
3:12 p.m.
New subject: httpd avc denied problem
On Tue, 2004-11-30 at 11:41, Arthur Stephens wrote:
opps.. I forgot to check /var/log/httpd/error_log
Before
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
After
(13)Permission denied: httpd: could not open error log file
/var/www/tangleheart.com/logs/error_log.
I think I know what is going on
When httpd is starting, it tries to write to the logs, fails on the
first one, issues an error, and quits. Since you fixed the labeling, it
actually passed spokanewines.com/logs/error_log and went to the next
one, where it errors again.
I'd reckon that it's going through your domains in the order they appear
in httpd.conf.
Try this:
chcon -R -t httpd_log_t /var/www/*/logs/*
service httpd start
- Karsten
Unable to open logs
Looks like it just switched to another directory....hmmmm
----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Tuesday, November 30, 2004 11:25 AM
Subject: Re: httpd avc denied problem
> Arthur Stephens wrote:
>
> >----- Original Message -----
> >From: "Karsten Wade" <kwade(a)redhat.com>
> >To: "Fedora SELinux support list for users & developers."
> ><fedora-selinux-list(a)redhat.com>
> >Sent: Tuesday, November 30, 2004 5:03 AM
> >Subject: Re: httpd avc denied problem
> >
> >
> >
> >
> >>On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
> >>
> >>
> >>>>/var/www/, as defined in
> >>>>/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
> >>>>
> >>>>
> >>>OK Mine is located someplace different
> >>> /etc/selinux/targeted/context/files/file_contexts
> >>>
> >>>
> >>Yeah, it's the same file as the one in the policy sources
> >>(targeted/src/policy), which comes from the
> >>selinux-policy-targeted-sources directory. You shouldn't need that
> >>unless you have to customize the policy, which doesn't sound necessary
> >>yet.
> >>
> >>
> >>
> >>>>/var/www(/.*)?
system_u:object_r:httpd_sys_content_t
> >>>>
> >>>>It looks as if the httpd policy needs the logs to be a different
type:
> >>>>
> >>>>
> >>>Mine says the same...
> >>>But there is a
> >>>/etc/httpd/logs system_u:object_r:httpd_log_t
> >>>
> >>>
> >>And this:
> >>
> >>/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
> >>
> >>I suppose either would work, since httpd_t can append to httpd_log_t and
> >>httpd_runtime_t. httpd_log_t looks like the proper one to use.
> >>
> >>
> >>
> >>>But what puzzles me is why only this one log directory....all the
others
> >>>like it work...
> >>>
> >>>
> >>This is with httpd_unified set to true?
> >>
> >>
> >
> >Yes actually mine says "active"
> >
> >AIUI, it must be set to true,
> >
> >
> >>if httpd_t can append to httpd_sys_content_t.
> >>
> >>For 'ls -Z /var/www' are all the directories essentially the same
> >>permissions? I'm not thinking the problem is regular UNIX permissions
> >>because you got an AVC denial ... something is fishy.
> >>
> >>
> >
> >ls -Z /var/www
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
> >arthurstephens.com
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
> >birdshield.com
> >drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
> >cgi-bin
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
charlieh
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
> >cvafoundation.org
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
davidh
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
> >digitalcreations
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
jjakober
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
kodiaks
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
> >lindarosephoto.com
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
> >lwccspokane.org
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
manual
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
pteraweb
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
ptootie
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
punisher
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
> >spokanewines.com
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
stevefm
> >drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
suetkr
> >drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
> >tangleheart.com
> >drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
> >drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t
> >wag1designs
> >
> >
> >
> >>Does it error if you change the type of the log files to httpd_log_t?
> >>I.e.,
> >>
> >> chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
> >>
> >>
> >
> >Issued the above command and then service httpd start
> >
> >Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied {
> >append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
> >ino=552157 scontext=root:system_r:httpd_t
> >tcontext=system_u:object_r:httpd_sys_content_t tclass=file
> >Nov 30 13:31:29 webmail httpd: httpd startup failed
> >
> >ls -Z /var/www/spokanewines.com/logs
> >-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
> >-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
> >
> >
>
> Are you sure this error_log is the one represented by ino=552157???
>
> >
> >
> >>Can you send in the avc: denied errors that you are getting? I can't
> >>imagine how this would be a policy bug, but it's worth looking into.
> >>
> >>- Karsten
> >>
> >>
> >>>EXAMPLES
> >>>/var/www/arthurstephens.com/logs
> >>>[root@webmail arthurstephens.com]# ls -alZ logs/
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>/var/www/cvafoundation.org/logs
> >>>[root@webmail cvafoundation.org]# ls -alZ logs/
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>But this one fails...
> >>>/var/www/spokanewines.com/logs
> >>>[root@webmail spokanewines.com]# ls -alZ logs
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>
> >>--
> >>Karsten Wade, RHCE, Tech Writer
> >>a lemon is just a melon in disguise
> >>http://people.redhat.com/kwade/
> >>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
> >>
> >>--
> >>fedora-selinux-list mailing list
> >>fedora-selinux-list(a)redhat.com
> >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>
> >>
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list(a)redhat.com
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
4:01 p.m.
New subject: httpd avc denied problem
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
chcon -R -t httpd_log_t /var/www/*/logs/*
service httpd start
BTW, if this works, you'll want to do something to make the change
permanent. Otherwise, the next running of restorecon will hose your
configuration.
Two options jump to mind:
* Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/
* Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
2. Add this line:
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'. This will build and load the new policy directly into memory.
4. If you now do restorecon, the /var/www/*/logs directories should get
the proper context.
Be aware that if you make another change to SELinux, especially using
system-config-securitylevel, the file /.autorelabel may get created.
That triggers a relabeling on reboot, and may hose any manual
customizations not fixed in policy.
- Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
4:05 p.m.
New subject: httpd avc denied problem
Karsten Wade wrote:
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
> chcon -R -t httpd_log_t /var/www/*/logs/*
> service httpd start
>
>
BTW, if this works, you'll want to do something to make the change
permanent. Otherwise, the next running of restorecon will hose your
configuration.
Two options jump to mind:
* Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/
* Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
2. Add this line:
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'. This will build and load the new policy directly into memory.
4. If you now do restorecon, the /var/www/*/logs directories should get
the proper context.
Be aware that if you make another change to SELinux, especially using
system-config-securitylevel, the file /.autorelabel may get created.
That triggers a relabeling on reboot, and may hose any manual
customizations not fixed in policy.
- Karsten
/.autorelabel will only get created when switching from one type of
policy to another (strict <--> targeted)
Looking back on this chain, it seems that if he had httpd_unified set it
should have been able to write to the log files anyways,
This might be a bug in policy?
1:25 p.m.
New subject: httpd avc denied problem
* Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
It said I needed to have public GPG keys installed ????
Sorry, ignorance here. How do I download GPG keys for this?
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
1:45 p.m.
New subject: httpd avc denied problem
Am Mi, den 01.12.2004 schrieb Arthur Stephens um 20:25:
> * Install the policy sources (yum install
> selinux-policy-targeted-sources), and do the following:
>
It said I needed to have public GPG keys installed ????
Sorry, ignorance here. How do I download GPG keys for this?
http://www.fedoranews.org/tchung/yum-gpg
Arthur Stephens
Alexander
P.S. Not an SELinux topic, but while doing security settings, please
still keep care for filesystem permissions!
[root@webmail ~]# cd /var/www/spokanewines.com/logs/
[root@webmail logs]# ls -alZ
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
The chmod 777 for the "[root@webmail ~]# cd /var/www/spokanewines.com"
directory is bad.
--
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp
Serendipity 20:42:38 up 11 days, 15:30, load average: 0.19, 0.47, 0.38
12:27 p.m.
New subject: httpd avc denied problem
I installed the policy sources on my fedora core 3. :)
Got to step one
Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
There is no such file :(
[root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
distros.fc misc program types.fc
[root@webmail ~]#
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
----- Original Message -----
From: "Karsten Wade" <kwade(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Tuesday, November 30, 2004 2:01 PM
Subject: Re: httpd avc denied problem
On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
> chcon -R -t httpd_log_t /var/www/*/logs/*
> service httpd start
BTW, if this works, you'll want to do something to make the change
permanent. Otherwise, the next running of restorecon will hose your
configuration.
Two options jump to mind:
* Move the logs into a path that will receive httpd_log_t, i.e.,
/var/logs/httpd/
* Install the policy sources (yum install
selinux-policy-targeted-sources), and do the following:
1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
2. Add this line:
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
Feel free to correct my regexp, but I think it's right. :)
3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
load'. This will build and load the new policy directly into memory.
4. If you now do restorecon, the /var/www/*/logs directories should get
the proper context.
Be aware that if you make another change to SELinux, especially using
system-config-securitylevel, the file /.autorelabel may get created.
That triggers a relabeling on reboot, and may hose any manual
customizations not fixed in policy.
- Karsten
--
Karsten Wade, RHCE, Tech Writer
a lemon is just a melon in disguise
http://people.redhat.com/kwade/
gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
12:46 p.m.
New subject: httpd avc denied problem
Arthur Stephens wrote:
I installed the policy sources on my fedora core 3. :)
Got to step one
Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
There is no such file :(
[root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
distros.fc misc program types.fc
[root@webmail ~]#
Ok create a file in the misc directory called custom.fc, file_context
file is only created via the make file.
echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >>
misc/customer.fc
Then rebuild policy
make load
Now restorecon
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
----- Original Message -----
From: "Karsten Wade" <kwade(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Tuesday, November 30, 2004 2:01 PM
Subject: Re: httpd avc denied problem
>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
>
>
>
>> chcon -R -t httpd_log_t /var/www/*/logs/*
>> service httpd start
>>
>>
>BTW, if this works, you'll want to do something to make the change
>permanent. Otherwise, the next running of restorecon will hose your
>configuration.
>
>Two options jump to mind:
>
>* Move the logs into a path that will receive httpd_log_t, i.e.,
>/var/logs/httpd/
>
>* Install the policy sources (yum install
>selinux-policy-targeted-sources), and do the following:
>
>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>
>2. Add this line:
>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
>
>Feel free to correct my regexp, but I think it's right. :)
>
>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
>load'. This will build and load the new policy directly into memory.
>
>4. If you now do restorecon, the /var/www/*/logs directories should get
>the proper context.
>
>Be aware that if you make another change to SELinux, especially using
>system-config-securitylevel, the file /.autorelabel may get created.
>That triggers a relabeling on reboot, and may hose any manual
>customizations not fixed in policy.
>
>- Karsten
>--
>Karsten Wade, RHCE, Tech Writer
>a lemon is just a melon in disguise
>http://people.redhat.com/kwade/
>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list(a)redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
2:04 p.m.
New subject: httpd avc denied problem
Ok that solved that problem but showed up another one.
I have a folder under /var/log/httpd
called /mail
which I put logs messages that come from Squirrel mail
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'
I look at the /var/log/httpd directory and I do see this folder I created is
labeled differently
[root@webmail ~]# ls -Z /var/log/httpd/
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1
drwxr-xr-x root root system_u:object_r:httpd_log_t mail
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_error_log.1
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_request_log
And here is what I have in my custom.fc
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
/var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t
/var/log/httpd/mail system_u:object_r:httpd_log_t
[root@webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r-- root root root:object_r:httpd_runtime_t error_log
After running fixfile relabel
[root@webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
service httpd start
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'
So I am write in thinking at this point the problem is no longer with
selinux?
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Thursday, December 02, 2004 10:46 AM
Subject: Re: httpd avc denied problem
Arthur Stephens wrote:
>I installed the policy sources on my fedora core 3. :)
>Got to step one
>Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>
>There is no such file :(
>[root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
>distros.fc misc program types.fc
>[root@webmail ~]#
>
>
Ok create a file in the misc directory called custom.fc, file_context
file is only created via the make file.
echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t" >>
misc/customer.fc
Then rebuild policy
make load
Now restorecon
>Arthur Stephens
>Sales Technician
>Ptera Wireless Internet
>astephens(a)ptera.net
>509-927-Ptera
>
>----- Original Message -----
>From: "Karsten Wade" <kwade(a)redhat.com>
>To: "Fedora SELinux support list for users & developers."
><fedora-selinux-list(a)redhat.com>
>Sent: Tuesday, November 30, 2004 2:01 PM
>Subject: Re: httpd avc denied problem
>
>
>
>
>>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
>>
>>
>>
>>> chcon -R -t httpd_log_t /var/www/*/logs/*
>>> service httpd start
>>>
>>>
>>BTW, if this works, you'll want to do something to make the change
>>permanent. Otherwise, the next running of restorecon will hose your
>>configuration.
>>
>>Two options jump to mind:
>>
>>* Move the logs into a path that will receive httpd_log_t, i.e.,
>>/var/logs/httpd/
>>
>>* Install the policy sources (yum install
>>selinux-policy-targeted-sources), and do the following:
>>
>>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>>
>>2. Add this line:
>>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
>>
>>Feel free to correct my regexp, but I think it's right. :)
>>
>>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
>>load'. This will build and load the new policy directly into memory.
>>
>>4. If you now do restorecon, the /var/www/*/logs directories should get
>>the proper context.
>>
>>Be aware that if you make another change to SELinux, especially using
>>system-config-securitylevel, the file /.autorelabel may get created.
>>That triggers a relabeling on reboot, and may hose any manual
>>customizations not fixed in policy.
>>
>>- Karsten
>>--
>>Karsten Wade, RHCE, Tech Writer
>>a lemon is just a melon in disguise
>>http://people.redhat.com/kwade/
>>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list(a)redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list(a)redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
2:03 p.m.
New subject: httpd avc denied problem
Arthur Stephens wrote:
Ok that solved that problem but showed up another one.
I have a folder under /var/log/httpd
called /mail
which I put logs messages that come from Squirrel mail
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'
I look at the /var/log/httpd directory and I do see this folder I created is
labeled differently
[root@webmail ~]# ls -Z /var/log/httpd/
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t access_log.1
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log.1
drwxr-xr-x root root system_u:object_r:httpd_log_t mail
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_access_log
-rw-r--r-- root root system_u:object_r:httpd_log_t ssl_error_log
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_error_log.1
-rw-r--r-- root root system_u:object_r:httpd_log_t
ssl_request_log
And here is what I have in my custom.fc
/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
/var/log/httpd/mail(/.*)? system_u:object_r:httpd_log_t
/var/log/httpd/mail system_u:object_r:httpd_log_t
[root@webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r-- root root root:object_r:httpd_runtime_t error_log
After running fixfile relabel
[root@webmail ~]# ls -Z /var/log/httpd/mail/
-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
service httpd start
httpd fails with this informative message...
'Unable to open logs'
/var/log/messages
'httpd: httpd startup failed'
So I am write in thinking at this point the problem is no longer with
selinux?
I have no idea,
type
setenforce 0
service httpd start
If this works, then the problem is SELinux, if not then it probably is
not SELinux.
setenforce 0 turns off selinux protection. setenforce 1 turns it back on.
Arthur Stephens
Sales Technician
Ptera Wireless Internet
astephens(a)ptera.net
509-927-Ptera
----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Thursday, December 02, 2004 10:46 AM
Subject: Re: httpd avc denied problem
>Arthur Stephens wrote:
>
>
>
>>I installed the policy sources on my fedora core 3. :)
>>Got to step one
>>Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>>
>>There is no such file :(
>>[root@webmail ~]# ls /etc/selinux/targeted/src/policy/file_contexts/
>>distros.fc misc program types.fc
>>[root@webmail ~]#
>>
>>
>>
>>
>Ok create a file in the misc directory called custom.fc, file_context
>file is only created via the make file.
>
>echo "/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t"
>>
>
>
misc/customer.fc
>Then rebuild policy
>
>make load
>Now restorecon
>
>
>
>
>
>>Arthur Stephens
>>Sales Technician
>>Ptera Wireless Internet
>>astephens(a)ptera.net
>>509-927-Ptera
>>
>>----- Original Message -----
>>From: "Karsten Wade" <kwade(a)redhat.com>
>>To: "Fedora SELinux support list for users & developers."
>><fedora-selinux-list(a)redhat.com>
>>Sent: Tuesday, November 30, 2004 2:01 PM
>>Subject: Re: httpd avc denied problem
>>
>>
>>
>>
>>
>>
>>>On Tue, 2004-11-30 at 13:12, Karsten Wade wrote:
>>>
>>>
>>>
>>>
>>>
>>>> chcon -R -t httpd_log_t /var/www/*/logs/*
>>>> service httpd start
>>>>
>>>>
>>>>
>>>>
>>>BTW, if this works, you'll want to do something to make the change
>>>permanent. Otherwise, the next running of restorecon will hose your
>>>configuration.
>>>
>>>Two options jump to mind:
>>>
>>>* Move the logs into a path that will receive httpd_log_t, i.e.,
>>>/var/logs/httpd/
>>>
>>>* Install the policy sources (yum install
>>>selinux-policy-targeted-sources), and do the following:
>>>
>>>1. Edit /etc/selinux/targeted/src/policy/file_contexts/file_contexts
>>>
>>>2. Add this line:
>>>/var/www/.*/logs(/.*)? system_u:object_r:httpd_log_t
>>>
>>>Feel free to correct my regexp, but I think it's right. :)
>>>
>>>3. In /etc/selinux/targeted/src/policy rebuild the policy with 'make
>>>load'. This will build and load the new policy directly into memory.
>>>
>>>4. If you now do restorecon, the /var/www/*/logs directories should get
>>>the proper context.
>>>
>>>Be aware that if you make another change to SELinux, especially using
>>>system-config-securitylevel, the file /.autorelabel may get created.
>>>That triggers a relabeling on reboot, and may hose any manual
>>>customizations not fixed in policy.
>>>
>>>- Karsten
>>>--
>>>Karsten Wade, RHCE, Tech Writer
>>>a lemon is just a melon in disguise
>>>http://people.redhat.com/kwade/
>>>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
>>>
>>>--
>>>fedora-selinux-list mailing list
>>>fedora-selinux-list(a)redhat.com
>>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>
>>>
>>>
>>>
>>--
>>fedora-selinux-list mailing list
>>fedora-selinux-list(a)redhat.com
>>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>>
>>
>>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list(a)redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
12:32 p.m.
New subject: sendmail.postfix avc denied problem
Helo List,
i have a problem sending mail from php script.
audit(1101900916.389:0): avc: denied { getattr } for pid=18363
exe=/bin/bash path=/usr/sbin/sendmail.postfix dev=md0 ino=7518272
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sbin_t tclass=file
Everything other works very good with SELinux.
System FC3 Postfix, SELinux enforcing, targeted.
Thank you for any help.
--
Edy Corak
E-Mail: edy(a)ecorak.de
Internet: http://www.ecorak.net/
-----
7094
days inactive
7097
days old
selinux@lists.fedoraproject.org
16 comments
5 participants
participants (5)
-
Alexander Dalloz -
Arthur Stephens -
Daniel J Walsh -
Edy Corak -
Karsten Wade