Bug 146485

Summary: Apache cannot start with different DocumentRoot
Product: [Fedora] Fedora Reporter: Orion Poplawski <orion>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-03 17:54:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2005-01-28 19:30:28 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041217

Description of problem:
Trying to change the DocumentRoot in httpd to a different directory. 
httpd now fails to start.  Following errors in syslog:

Jan 28 12:28:39 hawk kernel: audit(1106940519.555:0): avc:  denied  {
search } for  pid=6142 exe=/usr/sbin/httpd name=export dev=dm-1
ino=38913 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:default_t tclass=dir
Jan 28 12:28:39 hawk httpd: Syntax error on line 265 of
/etc/httpd/conf/httpd.conf:
Jan 28 12:28:39 hawk httpd: DocumentRoot must be a directory

Also get it for autofs mounted dirs:

audit(1106939693.709:0): avc:  denied  { search } for  pid=5277
exe=/usr/sbin/httpd name=/ dev=autofs ino=6704
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:autofs_ttclass=dir


Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.21.3-6

How reproducible:
Always

Steps to Reproduce:
1.  CHange documentroot to device mapper (LVM) dir or autofs dir
2.
3.
    

Additional info:
Comment 1 Colin Walters 2005-01-28 22:17:31 UTC 
Orion, when you change the apache DocumentRoot, you must ensure that
the files are labeled for it.

For more information, see:
http://fedora.redhat.com/docs/selinux-apache-fc3/

The autofs_t issue should be fixed in the latest rawhide policy.
Comment 2 Orion Poplawski 2005-01-31 16:57:25 UTC 
Sorry for not RTFM.  

As for the autofs issue, when updating to latest policy:

# rpm -Uvh
/data/sw1/fedora/development/i386/Fedora/RPMS/selinux-policy-targeted-1.21.5-1.noarch.rpm
Preparing...               
########################################### [100%]
  
1:selinux-policy-targeted###########################################
[100%]
Usage: /sbin/fixfiles {-R rpmpackage[,rpmpackage...] [-l logfile ] [-o
outputfile ] |check|restore|[-F] relabel}

# rpm -qp
/data/sw1/fedora/development/i386/Fedora/RPMS/selinux-policyted-1.21.5-1.noarch.rpm
--qf '%{POSTIN}' | grep fixfiles
                fixfiles -C
/etc/selinux/targeted/contexts/file/file_contexts.pre restore

Looks like the -C option is in a newer version of fixfiles which
probably should be required by the policy package.



Also, still having trouble serving content out of NFS mounts
(specifically home dirs):

Jan 31 09:49:35 hawk kernel: audit(1107190175.001:0): avc:  denied  {
search } for  pid=7811 exe=/usr/sbin/httpd name=/ dev=0:18 ino=4063296
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir
Jan 31 09:49:35 hawk kernel: audit(1107190175.002:0): avc:  denied  {
getattr } for  pid=7811 exe=/usr/sbin/httpd path=/home/orion dev=0:18
ino=4063296 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:nfs_t tclass=dir

The NFS server is a FC1 system without selinux.  

Lastly, I changed my DocumentRoot to /export/web/cora, at it appears
that I need to set the file context for /export to httpd_sys_content_t
as well for apache to start:

Jan 31 09:54:19 hawk kernel: audit(1107190459.233:0): avc:  denied  {
search } for  pid=14624 exe=/usr/sbin/httpd name=export dev=dm-1
ino=38913 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:default_t tclass=dir
Jan 31 09:54:19 hawk httpd: Syntax error on line 4 of
/etc/httpd/conf.d/cora.conf:
Jan 31 09:54:19 hawk httpd: DocumentRoot must be a directory
Jan 31 09:54:19 hawk httpd: httpd startup failed

I wouldn't have expected this.

Thanks!
Comment 3 Daniel Walsh 2005-01-31 20:16:59 UTC 
You need to turn on nfs support

setsebool -P use_nfs_home_dirs 1
Comment 4 Orion Poplawski 2005-01-31 21:05:57 UTC 
Still having trouble changing DocumentRoot to /export/web/cora, now
getting:

audit(1107205128.442:0): avc:  denied  { search } for  pid=3991
exe=/usr/sbin/httpd name=/ dev=dm-0 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t
tclass=dir

when starting up apache.  I am a little leary about changing the file
context for /.

Now with selinux-policy-targeted-1.21.5-4.
Comment 5 Colin Walters 2005-01-31 21:22:37 UTC 
Note that the pathname is relative to the filesystem device root, in
this case dm-0.  My guess is that you have /dev/dm-0 mounted on
/export/web/cora.  Try this:

chcon -R -h -t httpd_sys_content_t /export/web/cora
Comment 6 Orion Poplawski 2005-01-31 21:27:10 UTC 
Ah, things got reset when I did a relabel.  I'll need to read up on
how to make the labels permanent.

Now the SSL config (stock) is failing:

Jan 31 14:24:14 hawk kernel: audit(1107206654.947:0): avc:  denied  {
search } for  pid=4583 exe=/usr/sbin/httpd name=certs dev=dm-3
ino=64567 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:cert_t tclass=dir
Jan 31 14:24:14 hawk httpd: Syntax error on line 50 of
/etc/httpd/conf.d/vhost.conf:
Jan 31 14:24:14 hawk httpd: SSLCACertificateFile: file
'/usr/share/ssl/certs/ca-bundle.crt' does not exist or is empty
Jan 31 14:24:14 hawk httpd: httpd startup failed

Thanks!