Re: [CentOS] Apache, SELinux, and document root on a different partition
--On Sunday, November 30, 2008 9:02 AM -0500 Ignacio Vazquez-Abrams [EMAIL PROTECTED] wrote: You forgot one important bit: the actual denials. I don't find anything in /var/log/audit/audit.log nor /var/log/messages. audit.log looks like the right place but it's not logged anything since June. Do I need to enable this? (I suspect another admin turned it off inadvertantly.) The auditd service is running. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache, SELinux, and document root on a different partition
Here's what I'm seeing logged. (Newlines added to make it easier to see the log line boundaries with wrapping.) It looks like it's failing to traverse the root directory to get to the directory with the content in it, but why doesn't it fail on /var/www/html or home directory content, which must also do that? type=AVC msg=audit(1228142052.656:3183659): avc: denied { search } for pid=29382 comm=httpd name=/ dev=cciss/c0d2p1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1228142052.656:3183659): arch=4003 syscall=195 success=no exit=-13 a0=d75a6f0 a1=bfa4aadc a2=5ccff4 a3=8170 items=0 ppid=24589 pid=29382 auid=555 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1228142052.657:3183660): avc: denied { getattr } for pid=29382 comm=httpd name=/ dev=cciss/c0d2p1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir type=SYSCALL msg=audit(1228142052.657:3183660): arch=4003 syscall=196 success=no exit=-13 a0=d75a768 a1=bfa4aadc a2=5ccff4 a3=2008171 items=0 ppid=24589 pid=29382 auid=555 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm=httpd exe=/usr/sbin/httpd subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC_PATH msg=audit(1228142052.657:3183660): path=/mnt/bigdisk2 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache, SELinux, and document root on a different partition
Kenneth Porter wrote: Here's what I'm seeing logged. (Newlines added to make it easier to see the log line boundaries with wrapping.) It looks like it's failing to traverse the root directory to get to the directory with the content in it, but why doesn't it fail on /var/www/html or home directory content, which must also do that? type=AVC msg=audit(1228142052.656:3183659): avc: denied { search } for pid=29382 comm=httpd name=/ dev=cciss/c0d2p1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir Try this: # grep httpd /var/log/audit/audit.log | audit2why The output should explain why you are getting the permission denials. Rick ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache, SELinux, and document root on a different partition
On Monday, December 01, 2008 10:26 AM -0500 Rick Barnes [EMAIL PROTECTED] wrote: Try this: # grep httpd /var/log/audit/audit.log | audit2why The output should explain why you are getting the permission denials. Alas, it didn't really tell me more than what I could see in the log lines. What helped was to download the source RPM for the policy: selinux-policy-2.4.6-137.el5.src.rpm This is like a kernel source package, and has all the text files that are compiled to become the installed binary policy. Hence, it's very handy for grepping through to understand how all the rules work. It also identified that there's a man page full of handy sebools for more fine-grained control of the web server policy. Use man httpd_selinux to view it. Looking more carefully at my log lines, I realized that the / being referred to was not the real root but the root of the mounted device, and it had type file_t. That's not a directory type that Apache is allowed to search. For now, I've changed it to var_t, which is one that's allowed, and things now work. chcon -t var_t /mnt/bigdisk2 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Apache, SELinux, and document root on a different partition
I want to put the document root for an application on a separate paritition that has more space. When I try to configure this I can't access the files in the new location. I've got the SELinux attributes set on the directory and its files, so I'm thinking it's something about the parent path that SELinux doesn't like, but I don't know where that's handled. My partition is mounted to /mnt/bigdisk2, and I put the app in the wbb3tmp subdirectory there: [EMAIL PROTECTED] wbb3-tmp]# ls -Za drwxr-xr-x apache apache system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:file_t .. -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t WCFSetup.tar.gz -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t index.html -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t install.php -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t test.php [EMAIL PROTECTED] wbb3-tmp]# pwd /mnt/bigdisk2/wbb3-tmp My Apache VirtualHost block contains this: Alias /wbb3-tmp /mnt/bigdisk2/wbb3-tmp Directory /mnt/bigdisk2/wbb3-tmp AllowOverride AuthConfig Options Limit Options +Indexes -ExecCGI +FollowSymLinks +MultiViews Order allow,deny Allow from all /Directory This works if I disable SELinux. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Apache, SELinux, and document root on a different partition
On Sun, 2008-11-30 at 05:56 -0800, Kenneth Porter wrote: This works if I disable SELinux. You forgot one important bit: the actual denials. -- Ignacio Vazquez-Abrams [EMAIL PROTECTED] PLEASE don't CC me; I'm already subscribed signature.asc Description: This is a digitally signed message part ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos