leeatnwi
12th July 2010, 07:21 PM
Hi all,
I looked a little bit and could not find a similar problem I am having. I am setting up a web server and SElinux keeps stopping httpd/appache and making it fail. Everything works fine when SElinux is set to permisive, so I know it is SElinux causing the problem.
I have all the apache/httpd items allowed in the SElinux bool and even added the line the troubleshooter told me to add but the problem still persists.
Here is what SElinux puts out:
Summary:
SELinux prevented httpd reading and writing access to http files.
Detailed Description:
SELinux prevented httpd reading and writing access to http files. Ordinarily
httpd is allowed full access to all files labeled with http file context. This
machine has a tightened security policy with the httpd_unified turned off, this
requires explicit labeling of all files. If a file is a cgi script it needs to
be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is
read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable
content. it needs to be labeled httpd_TYPE_script_rw_t or
httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts.
Please refer to the man page "man httpd_selinux" or FAQ
(http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one of
"sys", "user" or "staff" or potentially other script types.
Allowing Access:
Changing the "httpd_unified" boolean to true will allow this access: "setsebool
-P httpd_unified=1"
Fix Command:
setsebool -P httpd_unified=1
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:httpd_config_t:s0
Target Objects alh.error_log [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host server2.nwi.local
Source RPM Packages httpd-2.2.15-1.fc11.1
Target RPM Packages
Policy RPM selinux-policy-3.6.12-98.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_unified
Host Name server2.nwi.local
Platform Linux server2.nwi.local
2.6.30.10-105.2.23.fc11.x86_64 #1 SMP Thu Feb 11
07:06:34 UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Mon 12 Jul 2010 01:07:42 PM CDT
Last Seen Mon 12 Jul 2010 01:07:42 PM CDT
Local ID fe67c015-a11f-4f28-b501-7c260b3c1e6d
Line Numbers
Raw Audit Messages
node=server2.nwi.local type=AVC msg=audit(1278958062.481:69): avc: denied { append } for pid=5294 comm="httpd" name="alh.error_log" dev=dm-0 ino=790 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file
node=server2.nwi.local type=SYSCALL msg=audit(1278958062.481:69): arch=c000003e syscall=2 success=no exit=-13 a0=7fa9675c9a18 a1=80441 a2=1b6 a3=7fff78b06b60 items=0 ppid=5293 pid=5294 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
I have run the
"Fix Command:
setsebool -P httpd_unified=1"
several times and it does nothing. I have all the permissions set to Apache as owner and group and allow execution on all the files.
Anyone got a clue and as to fix this so SElinux allows httpd to work properly
I looked a little bit and could not find a similar problem I am having. I am setting up a web server and SElinux keeps stopping httpd/appache and making it fail. Everything works fine when SElinux is set to permisive, so I know it is SElinux causing the problem.
I have all the apache/httpd items allowed in the SElinux bool and even added the line the troubleshooter told me to add but the problem still persists.
Here is what SElinux puts out:
Summary:
SELinux prevented httpd reading and writing access to http files.
Detailed Description:
SELinux prevented httpd reading and writing access to http files. Ordinarily
httpd is allowed full access to all files labeled with http file context. This
machine has a tightened security policy with the httpd_unified turned off, this
requires explicit labeling of all files. If a file is a cgi script it needs to
be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is
read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable
content. it needs to be labeled httpd_TYPE_script_rw_t or
httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts.
Please refer to the man page "man httpd_selinux" or FAQ
(http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one of
"sys", "user" or "staff" or potentially other script types.
Allowing Access:
Changing the "httpd_unified" boolean to true will allow this access: "setsebool
-P httpd_unified=1"
Fix Command:
setsebool -P httpd_unified=1
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:httpd_config_t:s0
Target Objects alh.error_log [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host server2.nwi.local
Source RPM Packages httpd-2.2.15-1.fc11.1
Target RPM Packages
Policy RPM selinux-policy-3.6.12-98.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_unified
Host Name server2.nwi.local
Platform Linux server2.nwi.local
2.6.30.10-105.2.23.fc11.x86_64 #1 SMP Thu Feb 11
07:06:34 UTC 2010 x86_64 x86_64
Alert Count 1
First Seen Mon 12 Jul 2010 01:07:42 PM CDT
Last Seen Mon 12 Jul 2010 01:07:42 PM CDT
Local ID fe67c015-a11f-4f28-b501-7c260b3c1e6d
Line Numbers
Raw Audit Messages
node=server2.nwi.local type=AVC msg=audit(1278958062.481:69): avc: denied { append } for pid=5294 comm="httpd" name="alh.error_log" dev=dm-0 ino=790 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file
node=server2.nwi.local type=SYSCALL msg=audit(1278958062.481:69): arch=c000003e syscall=2 success=no exit=-13 a0=7fa9675c9a18 a1=80441 a2=1b6 a3=7fff78b06b60 items=0 ppid=5293 pid=5294 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
I have run the
"Fix Command:
setsebool -P httpd_unified=1"
several times and it does nothing. I have all the permissions set to Apache as owner and group and allow execution on all the files.
Anyone got a clue and as to fix this so SElinux allows httpd to work properly
