Filipe Brandenburger filbranden at gmail.com at Tue Dec 18 19:06:50 UTC 2007 wrote:
Hi,
I'm no SELinux expert, but I think the issue is that under SELinux's targeted policy, Apache will refuse to write to a directory with etc_t type. It can, however, write to a directory with the httpd_log_t type, such as /var/log/httpd. Couldn't you just write the logs to /var/log/httpd instead? As these seem to be logs, writing them under the /var/log directory tree seems to be more appropriate.
True, very true, but these are rewrite logs and I only have the logging turned on when I am developing and testing new rules (or debugging old ones). So I find it convenient to have the log and the configuration file in the same directory.
Alternatively, you can change the type of the directory you're writing to by using "chcon -t httpd_log_t /etc/httpd/virtual.d", but if you have other files (other than these log files) on this directory you may have other unexpected collateral effects.
I will examine this aspect of policies further now that I have a starting point. I was very unclear as to what was going on here and this has helped.
Please note that I'm no SELinux expert though.
Never met one myself although I suppose that they exist in the wild. Thanks for the help.
Regards, Jim