httpd does not start with selinux denial

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Apache HTTPD 2.4.x

Issue

  • SELinux errors with created virtual directories for Apache
  • Error messages such as the following:
        Feb xx xx:xx:xx hostname setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 01228907-f87f-418b-926d-ef0f290e7915

or the following error in httpd logs

(13)Permission denied: AH00091: httpd: could not open error log file /var/log/customLogDir/My_error_log.
AH00015: Unable to open logs

Resolution

  • Make a test directory in /var/www and copy the context from that
  # mkdir /var/www/test
  # ls -ldZ /var/www/test/
  drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/test/
  • Recursively change the context using it as a reference:
  # chcon -R --reference=/var/www/test /var/www/virtual
  • It is also possible to change the SELinux file context with semanage:
  # semanage fcontext -a -t httpd_sys_content_t '/website(/.*)?'
  # semanage fcontext -a -t httpd_log_t "/var/log/customLogDir(/.*)?"
  # To copy fcontext from a directory use the following command
  # semanage fcontext -a -e /var/www/test  '/websites(/.*)?' 

and then run restorecon

  # restorecon -vvRF /websites
  # restorecon -vvRF /var/log/customLogDir

Root Cause

  • System had incorrect SELinux contexts:
  # ls -laZ /var/www/virtual/example.org/
        drwx--x--x. foo01 foo01 unconfined_u:object_r:user_home_dir_t:s0 .
        drwxr-xr-x. root   root   system_u:object_r:home_root_t:s0 ..
        -rw-------. foo01 foo01 unconfined_u:object_r:home_root_t:s0 .bash_history
        drwxr-xr-x. root   root   unconfined_u:object_r:user_home_t:s0 logs
  • Proper, expected SELinux context for created virtual directories should be httpd_sys_content type, not user_home_dir type.

  • Expected SELinux context for apache logs should be httpd_log_t type.

Diagnostic Steps

  • Error messages such as the following:
        Feb 15 15:42:33 hostname setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 01228907-f87f-418b-926d-ef0f290e7915
  • Extended information from sealert:
        Source Context                unconfined_u:system_r:httpd_t:s0
        Target Context                unconfined_u:object_r:home_root_t:s0
        Target Objects                error_log [ file ]
        Source                        httpd
        Source Path                   /usr/sbin/httpd
        Port                          <Unknown>
        Host                          server.example.com
        Source RPM Packages           httpd-2.2.15-5.el6
        Target RPM Packages           
        Policy RPM                    selinux-policy-3.7.19-54.el6_0.3
        Selinux Enabled               True
        Policy Type                   targeted
        Enforcing Mode                Permissive
        Plugin Name                   httpd_enable_homedirs
        Host Name                     server.example.com
        Platform                      Linux server.example.com 2.6.32-71.14.1.el6.x86_64
                                      #1 SMP Wed Jan 5 17:01:01 EST 2011 x86_64 x86_64
        Alert Count                   11
        First Seen                    Tue Feb 15 15:07:50 2011
        Last Seen                     Tue Feb 15 15:42:31 2011
        Local ID                      01228907-f87f-418b-926d-ef0f290e7915
        Line Numbers              
  • Raw Audit Messages
        node=server.example.com type=AVC msg=audit(1297806151.613:33434): avc:  denied  { append } for  pid=13773 comm="httpd" name="error_log" dev=dm-2 ino=1962514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file    
        node=server.example.com type=AVC msg=audit(1297806151.613:33434): avc:  denied  { open } for  pid=13773 comm="httpd" name="error_log" dev=dm-2 ino=1962514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
        node=server.example.com type=SYSCALL msg=audit(1297806151.613:33434): arch=c000003e syscall=2 success=yes exit=7 a0=7fc0689fb388 a1=80441 a2=1b6 a3=7fc064fe2fd0 items=0 ppid=13772 pid=13773 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3222 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments