Hi,
Wishing everyone a happy new year!
Can anyone point me in the right direction with a problem im having with selinux and httpd please?
I have created a virtual host and have created the directory structure:
/vhosts/domain.tld/htdocs # Document root /vhosts/domain.tld/logs # Log root /vhosts/domain.tld/private # Private root
I have set the contexts and they display as:
[root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@server htdocs]# ls -laZ /vhosts/domain.tld/logs drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
so to me this looks like it has the right contexts.
when i try to start apache i get the following error:
[root@server htdocs]# /sbin/service httpd start Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does not exist httpd: Could not reliably determine the server's fully qualified domain name, using ::1 for ServerName [FAILED]
now i know the directory exists, which confuses me. below are the error logs:
[root@server htdocs]# tail /var/log/httpd/error_log (13)Permission denied: httpd: could not open error log file /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log. Unable to open logs
Can anyone help as i am really stuck.
Thankyou in advance!
Tony
tony@specialistdevelopment.com wrote:
Hi,
Wishing everyone a happy new year!
Can anyone point me in the right direction with a problem im having with selinux and httpd please?
I have created a virtual host and have created the directory structure:
/vhosts/domain.tld/htdocs # Document root /vhosts/domain.tld/logs # Log root /vhosts/domain.tld/private # Private root
I have set the contexts and they display as:
[root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@server htdocs]# ls -laZ /vhosts/domain.tld/logs drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
so to me this looks like it has the right contexts.
when i try to start apache i get the following error:
[root@server htdocs]# /sbin/service httpd start Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does not exist httpd: Could not reliably determine the server's fully qualified domain name, using ::1 for ServerName [FAILED]
now i know the directory exists, which confuses me. below are the error logs:
[root@server htdocs]# tail /var/log/httpd/error_log (13)Permission denied: httpd: could not open error log file /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/erro
r.l
og. Unable to open logs
Can anyone help as i am really stuck.
Thankyou in advance!
Tony
I have found that apache needs at least search access to _all_ the directories in the hierarchy - so your /vhosts and your /vhosts/domain.tld directories both need to be some type that apache can search.
Also check /var/log/audit/audit.log (or ausearch) for the precise denial message.
Moray. "To err is human. To purr, feline"
On 01/04/2010 10:09 AM, tony@specialistdevelopment.com wrote:
Hi,
Wishing everyone a happy new year!
Can anyone point me in the right direction with a problem im having with selinux and httpd please?
I have created a virtual host and have created the directory structure:
/vhosts/domain.tld/htdocs # Document root /vhosts/domain.tld/logs # Log root /vhosts/domain.tld/private # Private root
I have set the contexts and they display as:
[root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@server htdocs]# ls -laZ /vhosts/domain.tld/logs drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
so to me this looks like it has the right contexts.
when i try to start apache i get the following error:
[root@server htdocs]# /sbin/service httpd start Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does not exist httpd: Could not reliably determine the server's fully qualified domain name, using ::1 for ServerName [FAILED]
now i know the directory exists, which confuses me. below are the error logs:
[root@server htdocs]# tail /var/log/httpd/error_log (13)Permission denied: httpd: could not open error log file /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log.
Unable to open logs
Can anyone help as i am really stuck.
Thankyou in advance!
Tony
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
# semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?' # restorecon -R -v /vhosts
Should fix the problem
You need to label every file/dir that httpd will access with a label it can read or search.
the exact log of the avc denial is needed to analyse the problem.but assuming it as a denial due to the context.either you can do as dwalsh said or alternatively ,you can change the context of the file and directory to httpd_sys_content_t and put the file name and directory name in /etc/selinux/restorecond.conf and restart the restorecond service. so that even when you accidentally delete the file you can get the correct context on recreating it.
On 1/4/10, Daniel J Walsh dwalsh@redhat.com wrote:
On 01/04/2010 10:09 AM, tony@specialistdevelopment.com wrote:
Hi,
Wishing everyone a happy new year!
Can anyone point me in the right direction with a problem im having with selinux and httpd please?
I have created a virtual host and have created the directory structure:
/vhosts/domain.tld/htdocs # Document root /vhosts/domain.tld/logs # Log root /vhosts/domain.tld/private # Private root
I have set the contexts and they display as:
[root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@server htdocs]# ls -laZ /vhosts/domain.tld/logs drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
so to me this looks like it has the right contexts.
when i try to start apache i get the following error:
[root@server htdocs]# /sbin/service httpd start Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does not exist httpd: Could not reliably determine the server's fully qualified domain name, using ::1 for ServerName [FAILED]
now i know the directory exists, which confuses me. below are the error logs:
[root@server htdocs]# tail /var/log/httpd/error_log (13)Permission denied: httpd: could not open error log file /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log.
Unable to open logs
Can anyone help as i am really stuck.
Thankyou in advance!
Tony
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
# semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?' # restorecon -R -v /vhosts
Should fix the problem
You need to label every file/dir that httpd will access with a label it can read or search.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Thanks for your help, all sorted now :)
Tony
Quoting sai ganesh ganesai@gmail.com:
the exact log of the avc denial is needed to analyse the problem.but assuming it as a denial due to the context.either you can do as dwalsh said or alternatively ,you can change the context of the file and directory to httpd_sys_content_t and put the file name and directory name in /etc/selinux/restorecond.conf and restart the restorecond service. so that even when you accidentally delete the file you can get the correct context on recreating it.
On 1/4/10, Daniel J Walsh dwalsh@redhat.com wrote:
On 01/04/2010 10:09 AM, tony@specialistdevelopment.com wrote:
Hi,
Wishing everyone a happy new year!
Can anyone point me in the right direction with a problem im having with selinux and httpd please?
I have created a virtual host and have created the directory structure:
/vhosts/domain.tld/htdocs # Document root /vhosts/domain.tld/logs # Log root /vhosts/domain.tld/private # Private root
I have set the contexts and they display as:
[root@server htdocs]# ls -laZ /vhosts/domain.tld/htdocs drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 .. -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html
[root@server htdocs]# ls -laZ /vhosts/domain.tld/logs drwxr-xr-x. root root unconfined_u:object_r:httpd_log_t:s0 . drwxr-xr-x. root root unconfined_u:object_r:file_t:s0 ..
so to me this looks like it has the right contexts.
when i try to start apache i get the following error:
[root@server htdocs]# /sbin/service httpd start Starting httpd: Warning: DocumentRoot [/vhosts/domain.tld/htdocs] does not exist httpd: Could not reliably determine the server's fully qualified domain name, using ::1 for ServerName [FAILED]
now i know the directory exists, which confuses me. below are the error logs:
[root@server htdocs]# tail /var/log/httpd/error_log (13)Permission denied: httpd: could not open error log file /wb01/specialistdevelopment.com/www.specialistdevelopment.com/logs/error.log.
Unable to open logs
Can anyone help as i am really stuck.
Thankyou in advance!
Tony
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
# semanage fcontext -a -t httpd_sys_content_t '/vhosts(/.*)?' # restorecon -R -v /vhosts
Should fix the problem
You need to label every file/dir that httpd will access with a label it can read or search.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- s.saiganesh “The Linux philosophy is 'Laugh in the face of danger'. Oops. Wrong One. 'Do it yourself'. Yes, that's it
selinux@lists.fedoraproject.org
-
Anthony Davis -
Daniel J Walsh -
Moray Henderson -
sai ganesh