httpd will not start with selinux denial
Environment
- Red Hat Enterprise Linux 6
Issue
- SELinux errors with created virtual directories for Apache
- Error messages such as the following:
Feb xx xx:xx:xx hostname setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 01228907-f87f-418b-926d-ef0f290e7915
Resolution
- Make a test directory in /var/www and copy the context from that
# mkdir /var/www/test
# ls -ldZ /var/www/test/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/test/
- Recursively change the context using it as a reference:
# chcon -R --reference=/var/www/test /var/www/virtual
Root Cause
- System had incorrect SELinux contexts:
# ls -laZ /var/www/virtual/example.org/
drwx--x--x. foo01 foo01 unconfined_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 ..
-rw-------. foo01 foo01 unconfined_u:object_r:home_root_t:s0 .bash_history
drwxr-xr-x. root root unconfined_u:object_r:user_home_t:s0 logs
- Proper, expected SELinux context for created virtual directories should be
httpd_sys_contenttype, notuser_home_dirtype.
Diagnostic Steps
- Error messages such as the following:
Feb 15 15:42:33 hostname setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 01228907-f87f-418b-926d-ef0f290e7915
- Extended information from sealert:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:home_root_t:s0
Target Objects error_log [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host server.example.com
Source RPM Packages httpd-2.2.15-5.el6
Target RPM Packages
Policy RPM selinux-policy-3.7.19-54.el6_0.3
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name httpd_enable_homedirs
Host Name server.example.com
Platform Linux server.example.com 2.6.32-71.14.1.el6.x86_64
#1 SMP Wed Jan 5 17:01:01 EST 2011 x86_64 x86_64
Alert Count 11
First Seen Tue Feb 15 15:07:50 2011
Last Seen Tue Feb 15 15:42:31 2011
Local ID 01228907-f87f-418b-926d-ef0f290e7915
Line Numbers
- Raw Audit Messages
node=server.example.com type=AVC msg=audit(1297806151.613:33434): avc: denied { append } for pid=13773 comm="httpd" name="error_log" dev=dm-2 ino=1962514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
node=server.example.com type=AVC msg=audit(1297806151.613:33434): avc: denied { open } for pid=13773 comm="httpd" name="error_log" dev=dm-2 ino=1962514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
node=server.example.com type=SYSCALL msg=audit(1297806151.613:33434): arch=c000003e syscall=2 success=yes exit=7 a0=7fc0689fb388 a1=80441 a2=1b6 a3=7fc064fe2fd0 items=0 ppid=13772 pid=13773 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3222 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Close
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.