I want to put the document root for an application on a separate paritition that has more space. When I try to configure this I can't access the files in the new location. I've got the SELinux attributes set on the directory and its files, so I'm thinking it's something about the parent path that SELinux doesn't like, but I don't know where that's handled.
My partition is mounted to /mnt/bigdisk2, and I put the app in the wbb3tmp subdirectory there:
[root@centos wbb3-tmp]# ls -Za drwxr-xr-x apache apache system_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:file_t .. -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t WCFSetup.tar.gz -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t index.html -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t install.php -rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t test.php [root@centos wbb3-tmp]# pwd /mnt/bigdisk2/wbb3-tmp
My Apache VirtualHost block contains this:
Alias /wbb3-tmp /mnt/bigdisk2/wbb3-tmp
<Directory "/mnt/bigdisk2/wbb3-tmp"> AllowOverride AuthConfig Options Limit Options +Indexes -ExecCGI +FollowSymLinks +MultiViews Order allow,deny Allow from all </Directory>
This works if I disable SELinux.
On Sun, 2008-11-30 at 05:56 -0800, Kenneth Porter wrote:
This works if I disable SELinux.
You forgot one important bit: the actual denials.
--On Sunday, November 30, 2008 9:02 AM -0500 Ignacio Vazquez-Abrams ivazqueznet@gmail.com wrote:
You forgot one important bit: the actual denials.
I don't find anything in /var/log/audit/audit.log nor /var/log/messages. audit.log looks like the right place but it's not logged anything since June. Do I need to enable this? (I suspect another admin turned it off inadvertantly.) The auditd service is running.
I'm finding that auditd will in fact log to the console if I run it with -f (don't fork). But it's not writing the entries to /var/log/audit/audit.log. I think I have enough disk space. The default config suspends auditing when free space falls below 50 and 75 megabytes, and df shows over 6 GB available.
Here's what I'm seeing logged. (Newlines added to make it easier to see the log line boundaries with wrapping.) It looks like it's failing to traverse the root directory to get to the directory with the content in it, but why doesn't it fail on /var/www/html or home directory content, which must also do that?
type=AVC msg=audit(1228142052.656:3183659): avc: denied { search } for pid=29382 comm="httpd" name="/" dev=cciss/c0d2p1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1228142052.656:3183659): arch=40000003 syscall=195 success=no exit=-13 a0=d75a6f0 a1=bfa4aadc a2=5ccff4 a3=8170 items=0 ppid=24589 pid=29382 auid=555 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1228142052.657:3183660): avc: denied { getattr } for pid=29382 comm="httpd" name="/" dev=cciss/c0d2p1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1228142052.657:3183660): arch=40000003 syscall=196 success=no exit=-13 a0=d75a768 a1=bfa4aadc a2=5ccff4 a3=2008171 items=0 ppid=24589 pid=29382 auid=555 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC_PATH msg=audit(1228142052.657:3183660): path="/mnt/bigdisk2"
Kenneth Porter wrote:
Here's what I'm seeing logged. (Newlines added to make it easier to see the log line boundaries with wrapping.) It looks like it's failing to traverse the root directory to get to the directory with the content in it, but why doesn't it fail on /var/www/html or home directory content, which must also do that?
type=AVC msg=audit(1228142052.656:3183659): avc: denied { search } for pid=29382 comm="httpd" name="/" dev=cciss/c0d2p1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Try this:
# grep httpd /var/log/audit/audit.log | audit2why
The output should explain why you are getting the permission denials.
Rick
On Monday, December 01, 2008 10:26 AM -0500 Rick Barnes linux@sitevision.com wrote:
Try this:
# grep httpd /var/log/audit/audit.log | audit2why
The output should explain why you are getting the permission denials.
Alas, it didn't really tell me more than what I could see in the log lines.
What helped was to download the source RPM for the policy:
selinux-policy-2.4.6-137.el5.src.rpm
This is like a kernel source package, and has all the text files that are compiled to become the installed binary policy. Hence, it's very handy for grepping through to understand how all the rules work. It also identified that there's a man page full of handy sebools for more fine-grained control of the web server policy. Use "man httpd_selinux" to view it.
Looking more carefully at my log lines, I realized that the "/" being referred to was not the "real" root but the root of the mounted device, and it had type file_t. That's not a directory type that Apache is allowed to search. For now, I've changed it to var_t, which is one that's allowed, and things now work.
chcon -t var_t /mnt/bigdisk2
-
Ignacio Vazquez-Abrams -
Kenneth Porter -
Rick Barnes