If something is not working and you know that it should, you are on RedhHat or CentOS and you have the SeLinux enabled, then it is the right time to suspect SeLinux to be murderer.

In this example we will try to solve apache problem. Apache can't read the index.html file which he has permission to read.

The setroubleshoot is suprisingly made for that. The name itself is self explanatory, but I have to admit I was not familiar with the existence of such tool. We will install tool, or better a set of tools and the setroubleshoot daemon:

# yum install setroubleshoot

and run the service:

# service setroubleshoot start

Now, in my case, repeat the action which should work and check /var/log/messages:

Oct 14 17:33:26 setroubleshoot: SELinux is preventing the httpd from \ 
using potentially mislabeled files \
(/var/www/html/homes/my_new_virtual_home/index.html). \
For complete SELinux messages \
run sealert -l 88a55a70-b798-43b4-bcfb-32c8918e436d

Whoa, the "sealert" command gives you even some explanation on this:

SELinux has denied httpd access to potentially mislabeled file(s)
(/var/www/html/homes/my_new_virtual_home/index.html). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories.
The problem is that the files end up with the wrong file context which confined applications are not allowed to access.

The command also tells you how you can fix it, at least for my specific case. It offered me to clear the security context on the files using restorecond, but this would not be useful because I had special setup when my home directory were within the httpd root subdirectory. Therefore the files were marked as common user files and not the webserver's. I needed to change the selinux attributes on file/s the apache is trying to access. You can check the se_context of all the files on the system using:

# ls -Z index.html
-rw-r--r--  alchy alchy user_u:object_r:user_home_dir_t index.html

In my case I had to set my file as the httpd_sys_content_t type to allow apache to read it. After the change the attributes looked like:

# ls -Z index.html
-rw-r--r--  alchy alchy user_u:object_r:httpd_sys_content_t index.html

I used the command:

# chcon -R -h -t httpd_sys_content_t \
   /var/www/html/homes/my_new_virtual_home/

I simply set the content & directory to "httpd_sys_content_t"; I say the files here are regular static web pages. Some further reading.

I wil put together some more deep talk about the SeLinux later.

To boot without selinux selinux=0 in boot parameters.

[ add comment ]   |  [ 0 trackbacks ]   |  permalink

---

<<First <Back | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | Next> Last>>

(c)2007 - All Photos on the pages by Olympus OM2(50/28mm) - Page Generated in 6.1011 seconds | Site Views: 20749