Bug 146485
Summary: | Apache cannot start with different DocumentRoot | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | noarch | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-02-03 17:54:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2005-01-28 19:30:28 UTC
Orion, when you change the apache DocumentRoot, you must ensure that the files are labeled for it. For more information, see: http://fedora.redhat.com/docs/selinux-apache-fc3/ The autofs_t issue should be fixed in the latest rawhide policy. Sorry for not RTFM. As for the autofs issue, when updating to latest policy: # rpm -Uvh /data/sw1/fedora/development/i386/Fedora/RPMS/selinux-policy-targeted-1.21.5-1.noarch.rpm Preparing... ########################################### [100%] 1:selinux-policy-targeted########################################### [100%] Usage: /sbin/fixfiles {-R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] |check|restore|[-F] relabel} # rpm -qp /data/sw1/fedora/development/i386/Fedora/RPMS/selinux-policyted-1.21.5-1.noarch.rpm --qf '%{POSTIN}' | grep fixfiles fixfiles -C /etc/selinux/targeted/contexts/file/file_contexts.pre restore Looks like the -C option is in a newer version of fixfiles which probably should be required by the policy package. Also, still having trouble serving content out of NFS mounts (specifically home dirs): Jan 31 09:49:35 hawk kernel: audit(1107190175.001:0): avc: denied { search } for pid=7811 exe=/usr/sbin/httpd name=/ dev=0:18 ino=4063296 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir Jan 31 09:49:35 hawk kernel: audit(1107190175.002:0): avc: denied { getattr } for pid=7811 exe=/usr/sbin/httpd path=/home/orion dev=0:18 ino=4063296 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir The NFS server is a FC1 system without selinux. Lastly, I changed my DocumentRoot to /export/web/cora, at it appears that I need to set the file context for /export to httpd_sys_content_t as well for apache to start: Jan 31 09:54:19 hawk kernel: audit(1107190459.233:0): avc: denied { search } for pid=14624 exe=/usr/sbin/httpd name=export dev=dm-1 ino=38913 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir Jan 31 09:54:19 hawk httpd: Syntax error on line 4 of /etc/httpd/conf.d/cora.conf: Jan 31 09:54:19 hawk httpd: DocumentRoot must be a directory Jan 31 09:54:19 hawk httpd: httpd startup failed I wouldn't have expected this. Thanks! You need to turn on nfs support setsebool -P use_nfs_home_dirs 1 Still having trouble changing DocumentRoot to /export/web/cora, now getting: audit(1107205128.442:0): avc: denied { search } for pid=3991 exe=/usr/sbin/httpd name=/ dev=dm-0 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir when starting up apache. I am a little leary about changing the file context for /. Now with selinux-policy-targeted-1.21.5-4. Note that the pathname is relative to the filesystem device root, in this case dm-0. My guess is that you have /dev/dm-0 mounted on /export/web/cora. Try this: chcon -R -h -t httpd_sys_content_t /export/web/cora Ah, things got reset when I did a relabel. I'll need to read up on how to make the labels permanent. Now the SSL config (stock) is failing: Jan 31 14:24:14 hawk kernel: audit(1107206654.947:0): avc: denied { search } for pid=4583 exe=/usr/sbin/httpd name=certs dev=dm-3 ino=64567 scontext=root:system_r:httpd_t tcontext=system_u:object_r:cert_t tclass=dir Jan 31 14:24:14 hawk httpd: Syntax error on line 50 of /etc/httpd/conf.d/vhost.conf: Jan 31 14:24:14 hawk httpd: SSLCACertificateFile: file '/usr/share/ssl/certs/ca-bundle.crt' does not exist or is empty Jan 31 14:24:14 hawk httpd: httpd startup failed Thanks! |