149990 – SELinux breaks httpd

Bug 149990 - SELinux breaks httpd

Summary: SELinux breaks httpd

Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	httpd
Sub Component:	(Show other bugs)
Version:	4.0
Hardware:	i386 Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Joe Orton
QA Contact:
Docs Contact:
URL:
Whiteboard:
Keywords:	SELinux
Duplicates (1):	149989 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-03-01 11:15 UTC by Andrew Gormanly
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2005-03-02 19:55:47 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Apache config file (41.28 KB, text/plain) 2005-03-01 11:16 UTC, Andrew Gormanly	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Description Andrew Gormanly 2005-03-01 11:15:14 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.3) Gecko/20050104 Red Hat/1.4.3-3.0.7

Description of problem:
Having upgraded our web server to RHEL 4 AS, httpd refuses to start with SELinux enabled.

Version-Release number of selected component (if applicable):
httpd-2.0.52-9.ent

How reproducible:
Always

Steps to Reproduce:
1. service httpd start
2.
3.
  

Actual Results:  Apache fails to start with error message "DocumentRoot must be a directory".

Expected Results:  Apache starts normally and serves our sites.

Additional info:

The problem is one of directory nesting.  Our sites are held under
/home/www/cmmp /home/www/nano-science/nano-mag etc.

Nothing nested deeper than one level under /home will work, but errors are only
produced for those on the second level of nesting: e.g. a site in /home works, 
as does one in /home/www but one in /home/www/cmmp does not.  A site in 
/home/www/nano-science produces the error message, but one in 
/home/www/nano-science/nano-mag does not.

Turning off SELinux at boot with boot parameter selinux=0 fixes this, but is 
obviously not a nice solution...

Comment 1 Andrew Gormanly 2005-03-01 11:16:48 UTC

Created attachment 111525 [details]
Apache config file

The httpd.conf in question

Comment 2 Andrew Gormanly 2005-03-01 11:18:21 UTC

*** Bug 149989 has been marked as a duplicate of this bug. ***

Comment 3 Andrew Gormanly 2005-03-01 11:19:36 UTC

Apologies, I accidentally submitted this one twice.  I've killed the dupe.

Comment 4 Andrew Gormanly 2005-03-01 13:44:51 UTC

Solved with:

chcon -R -t httpd_sys_content_t /home/www

Not sure if this is the best way to do this...

Comment 5 Joe Orton 2005-03-02 19:55:47 UTC

Yes, that's the correct method.  You might be interested to read the following
guide, regarding SELinux/Apache integration.  It mostly applies to Red Hat
Enterprise Linux 4; a version specific for RHEL4 is in the works:

http://fedora.redhat.com/docs/selinux-apache-fc3/

Note You need to log in before you can comment on or make changes to this bug.