opps.. I forgot to check /var/log/httpd/error_log
Before
(13)Permission denied: httpd: could not open error log file
/var/www/spokanewines.com/logs/error_log.
Unable to open logs
After
(13)Permission denied: httpd: could not open error log file
/var/www/tangleheart.com/logs/error_log.
Unable to open logs
Looks like it just switched to another directory....hmmmm
----- Original Message -----
From: "Daniel J Walsh" <dwalsh(a)redhat.com>
To: "Fedora SELinux support list for users & developers."
<fedora-selinux-list(a)redhat.com>
Sent: Tuesday, November 30, 2004 11:25 AM
Subject: Re: httpd avc denied problem
Arthur Stephens wrote:
>----- Original Message -----
>From: "Karsten Wade" <kwade(a)redhat.com>
>To: "Fedora SELinux support list for users & developers."
><fedora-selinux-list(a)redhat.com>
>Sent: Tuesday, November 30, 2004 5:03 AM
>Subject: Re: httpd avc denied problem
>
>
>
>
>>On Mon, 2004-11-29 at 16:53, Arthur Stephens wrote:
>>
>>
>>>>/var/www/, as defined in
>>>>/etc/selinux/targeted/src/policy/file_contexts/file_contexts:
>>>>
>>>>
>>>OK Mine is located someplace different
>>> /etc/selinux/targeted/context/files/file_contexts
>>>
>>>
>>Yeah, it's the same file as the one in the policy sources
>>(targeted/src/policy), which comes from the
>>selinux-policy-targeted-sources directory. You shouldn't need that
>>unless you have to customize the policy, which doesn't sound necessary
>>yet.
>>
>>
>>
>>>>/var/www(/.*)? system_u:object_r:httpd_sys_content_t
>>>>
>>>>It looks as if the httpd policy needs the logs to be a different type:
>>>>
>>>>
>>>Mine says the same...
>>>But there is a
>>>/etc/httpd/logs system_u:object_r:httpd_log_t
>>>
>>>
>>And this:
>>
>>/var/log/httpd(/.*)? system_u:object_r:httpd_log_t
>>
>>I suppose either would work, since httpd_t can append to httpd_log_t and
>>httpd_runtime_t. httpd_log_t looks like the proper one to use.
>>
>>
>>
>>>But what puzzles me is why only this one log directory....all the
others
>>>like it work...
>>>
>>>
>>This is with httpd_unified set to true?
>>
>>
>
>Yes actually mine says "active"
>
>AIUI, it must be set to true,
>
>
>>if httpd_t can append to httpd_sys_content_t.
>>
>>For 'ls -Z /var/www' are all the directories essentially the same
>>permissions? I'm not thinking the problem is regular UNIX permissions
>>because you got an AVC denial ... something is fishy.
>>
>>
>
>ls -Z /var/www
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t aha
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>arthurstephens.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>birdshield.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_script_exec_t
>cgi-bin
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
charlieh
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
>cvafoundation.org
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
davidh
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
>digitalcreations
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t error
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t html
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t icons
>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t
jjakober
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
kodiaks
>drwxr-xr-x root root
system_u:object_r:httpd_sys_content_t
>lindarosephoto.com
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
>lwccspokane.org
>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t
manual
>drwxr-xr-x root root
system_u:object_r:httpd_sys_content_t
pteraweb
>drwxr-xr-x root root
system_u:object_r:httpd_sys_content_t
ptootie
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
punisher
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
> >spokanewines.com
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
stevefm
>drwxrwxrwx root root
system_u:object_r:httpd_sys_content_t
suetkr
>drwxr-xr-x root root
system_u:object_r:httpd_sys_content_t
> >tangleheart.com
> >drwxr-xr-x webalize root system_u:object_r:httpd_sys_content_t usage
> >drwxrwxrwx apache apache system_u:object_r:httpd_sys_content_t
> >wag1designs
> >
> >
> >
> >>Does it error if you change the type of the log files to httpd_log_t?
> >>I.e.,
> >>
> >> chcon -R -t httpd_log_t /var/www/spokanewines.com/logs/*
> >>
> >>
> >
> >Issued the above command and then service httpd start
> >
> >Nov 30 13:31:29 webmail kernel: audit(1101850289.759:0): avc: denied {
> >append } for pid=2585 exe=/usr/sbin/httpd name=error_log dev=dm-0
> >ino=552157 scontext=root:system_r:httpd_t
> >tcontext=system_u:object_r:httpd_sys_content_t tclass=file
> >Nov 30 13:31:29 webmail httpd: httpd startup failed
> >
> >ls -Z /var/www/spokanewines.com/logs
> >-rw-r--r-- root root system_u:object_r:httpd_log_t access_log
> >-rw-r--r-- root root system_u:object_r:httpd_log_t error_log
> >
> >
>
> Are you sure this error_log is the one represented by ino=552157???
>
> >
> >
> >>Can you send in the avc: denied errors that you are getting? I can't
> >>imagine how this would be a policy bug, but it's worth looking into.
> >>
> >>- Karsten
> >>
> >>
> >>>EXAMPLES
> >>>/var/www/arthurstephens.com/logs
> >>>[root@webmail arthurstephens.com]# ls -alZ logs/
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>/var/www/cvafoundation.org/logs
> >>>[root@webmail cvafoundation.org]# ls -alZ logs/
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>But this one fails...
> >>>/var/www/spokanewines.com/logs
> >>>[root@webmail spokanewines.com]# ls -alZ logs
> >>>drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
> >>>drwxrwxrwx root root system_u:object_r:httpd_sys_content_t ..
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>access_log
> >>>-rw-r--r-- root root system_u:object_r:httpd_sys_content_t
> >>>error_log
> >>>
> >>>
> >>--
> >>Karsten Wade, RHCE, Tech Writer
> >>a lemon is just a melon in disguise
> >>http://people.redhat.com/kwade/
> >>gpg fingerprint: 2680 DBFD D968 3141 0115 5F1B D992 0E06 AD0E 0C41
> >>
> >>--
> >>fedora-selinux-list mailing list
> >>fedora-selinux-list(a)redhat.com
> >>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >>
> >>
> >
> >--
> >fedora-selinux-list mailing list
> >fedora-selinux-list(a)redhat.com
> >http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
> >
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
>
http://www.redhat.com/mailman/listinfo/fedora-selinux-list