httpd does not start with selinux denial
Environment
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Apache HTTPD 2.4.x
Issue
- SELinux errors with created virtual directories for Apache
- Error messages such as the following:
Feb xx xx:xx:xx hostname setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 01228907-f87f-418b-926d-ef0f290e7915
or the following error in httpd logs
(13)Permission denied: AH00091: httpd: could not open error log file /var/log/customLogDir/My_error_log.
AH00015: Unable to open logs
Resolution
- Make a test directory in /var/www and copy the context from that
# mkdir /var/www/test
# ls -ldZ /var/www/test/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/test/
- Recursively change the context using it as a reference:
# chcon -R --reference=/var/www/test /var/www/virtual
- It is also possible to change the SELinux file context with
semanage
:
# semanage fcontext -a -t httpd_sys_content_t '/website(/.*)?'
# semanage fcontext -a -t httpd_log_t "/var/log/customLogDir(/.*)?"
# To copy fcontext from a directory use the following command
# semanage fcontext -a -e /var/www/test '/websites(/.*)?'
and then run restorecon
# restorecon -vvRF /websites
# restorecon -vvRF /var/log/customLogDir
Root Cause
- System had incorrect SELinux contexts:
# ls -laZ /var/www/virtual/example.org/
drwx--x--x. foo01 foo01 unconfined_u:object_r:user_home_dir_t:s0 .
drwxr-xr-x. root root system_u:object_r:home_root_t:s0 ..
-rw-------. foo01 foo01 unconfined_u:object_r:home_root_t:s0 .bash_history
drwxr-xr-x. root root unconfined_u:object_r:user_home_t:s0 logs
-
Proper, expected SELinux context for created virtual directories should be
httpd_sys_content
type, notuser_home_dir
type. -
Expected SELinux context for apache logs should be
httpd_log_t
type.
Diagnostic Steps
- Error messages such as the following:
Feb 15 15:42:33 hostname setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 01228907-f87f-418b-926d-ef0f290e7915
- Extended information from sealert:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:home_root_t:s0
Target Objects error_log [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host server.example.com
Source RPM Packages httpd-2.2.15-5.el6
Target RPM Packages
Policy RPM selinux-policy-3.7.19-54.el6_0.3
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name httpd_enable_homedirs
Host Name server.example.com
Platform Linux server.example.com 2.6.32-71.14.1.el6.x86_64
#1 SMP Wed Jan 5 17:01:01 EST 2011 x86_64 x86_64
Alert Count 11
First Seen Tue Feb 15 15:07:50 2011
Last Seen Tue Feb 15 15:42:31 2011
Local ID 01228907-f87f-418b-926d-ef0f290e7915
Line Numbers
- Raw Audit Messages
node=server.example.com type=AVC msg=audit(1297806151.613:33434): avc: denied { append } for pid=13773 comm="httpd" name="error_log" dev=dm-2 ino=1962514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
node=server.example.com type=AVC msg=audit(1297806151.613:33434): avc: denied { open } for pid=13773 comm="httpd" name="error_log" dev=dm-2 ino=1962514 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file
node=server.example.com type=SYSCALL msg=audit(1297806151.613:33434): arch=c000003e syscall=2 success=yes exit=7 a0=7fc0689fb388 a1=80441 a2=1b6 a3=7fc064fe2fd0 items=0 ppid=13772 pid=13773 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3222 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments