[CentOS] Baffled by selinux

Thu Feb 16 17:13:50 UTC 2012
James B. Byrne <byrnejb at harte-lyne.ca>

On Thu, February 16, 2012 07:35, Lars Hecking wrote:
>
>  Apache DocumentRoot on an NFS directory:
>
> [root at localhost ~]# service httpd start
> Starting httpd: Warning: DocumentRoot [/home/www/html]
> does not exist
> Syntax error on line 292 of /etc/httpd/conf/httpd.conf:
> DocumentRoot must be a directory
>                                                            [FAILED]
> [root at localhost ~]#
>
>  After some research, I found this (dated) link
>
>   http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html
>
>  and followed the suggestion, setsebool -P
> use_nfs_home_dirs=1. But I still
>  can't start httpd. Not sure what to make of the audit
> log:
>
> type=AVC msg=audit(1329395502.678:61926): avc:  denied  {
> search } for  pid=25674 comm="httpd" name="" dev=0:23
> ino=3471615 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1329395502.678:61926):
> arch=c000003e syscall=4 success=no exit=-13
> a0=7fef342bc080 a1=7fffaf747370 a2=7fffaf747370
> a3=7fef30c65c30 items=0 ppid=25673 pid=25674 auid=0 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
> ses=2 comm="httpd" exe="/usr/sbin/httpd"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1329395502.681:61927): avc:  denied  {
> search } for  pid=25674 comm="httpd" name="" dev=0:23
> ino=3471615 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:nfs_t:s0 tclass=dir
> type=SYSCALL msg=audit(1329395502.681:61927):
> arch=c000003e syscall=4 success=no exit=-13
> a0=7fef342eae68 a1=7fffaf747630 a2=7fffaf747630 a3=50
> items=0 ppid=25673 pid=25674 auid=0 uid=0 gid=0 euid=0
> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
> comm="httpd" exe="/usr/sbin/httpd"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>
>
>

Try this:

yum install policycoreutils-python setroubleshoot-server

Now use the audit2allow and semanage utilities to tell you
what SEbooleans to set or what to include in a custom
policy.  Information from 2010 is out of date for SELinux
on CentOS-6, assuming that you are in fact running the
latest version, much less stuff from 2005.

HTH

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3