question about selinux and apache
question about selinux and apache
I just configured my apache on CentOS 5.5. It started up.
I then configured my VirtualHosts to have 2 definitions. Copied the example from the file for now.
Restarted the httpd process and I get this:
Starting httpd: Warning: DocumentRoot [/home/mysite] does not exist
I cd to the dir and a basic index.html file is there.
I googled the error and found the following...
"Edit /etc/sysconfig/selinux and change it to disabled then reboot."
Now my question is this:
Why would you want/need to disable selinux?
I want selinux enabled especially on a www server.
Should I disable/reboot then re-enable it?
Is this a 1 time deal?
None of the posts I read explained why you needed to disable it and if you could re-enable it.
I tried to go to the http://www.apache.org site and it says its not responding. So I cannot look thing sup there.
Thanx in advance.
CJ
I then configured my VirtualHosts to have 2 definitions. Copied the example from the file for now.
Restarted the httpd process and I get this:
Starting httpd: Warning: DocumentRoot [/home/mysite] does not exist
I cd to the dir and a basic index.html file is there.
I googled the error and found the following...
"Edit /etc/sysconfig/selinux and change it to disabled then reboot."
Now my question is this:
Why would you want/need to disable selinux?
I want selinux enabled especially on a www server.
Should I disable/reboot then re-enable it?
Is this a 1 time deal?
None of the posts I read explained why you needed to disable it and if you could re-enable it.
I tried to go to the http://www.apache.org site and it says its not responding. So I cannot look thing sup there.
Thanx in advance.
CJ
Re: question about selinux and apache
I found this link after some searching but I dont understand teh chcon command and dont want to munge my system.
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=2147&forum=31
ls -al --contex /home
drwxr-xr-x root root system_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:root_t ..
drwx------ root root system_u:object_r:file_t lost+found
drwxr-xr-x apache apache user_u:object_r:file_t www
[root@loxww35 audit]# ls -al --contex /home/www
drwxr-xr-x apache apache user_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:file_t ..
drwxr-xr-x apache apache user_u:object_r:file_t sample1_com
drwxr-xr-x apache apache user_u:object_r:file_t sample2_com
drwxr-xr-x apache apache user_u:object_r:file_t logs
I'm still reading up on it but not sure if what I am looking at is OK or not. It looks like apache.apache is the owner of the files OK..
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=2147&forum=31
ls -al --contex /home
drwxr-xr-x root root system_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:root_t ..
drwx------ root root system_u:object_r:file_t lost+found
drwxr-xr-x apache apache user_u:object_r:file_t www
[root@loxww35 audit]# ls -al --contex /home/www
drwxr-xr-x apache apache user_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:file_t ..
drwxr-xr-x apache apache user_u:object_r:file_t sample1_com
drwxr-xr-x apache apache user_u:object_r:file_t sample2_com
drwxr-xr-x apache apache user_u:object_r:file_t logs
I'm still reading up on it but not sure if what I am looking at is OK or not. It looks like apache.apache is the owner of the files OK..
Re: question about selinux and apache
I just noticed this too. I am wondering why it things there are not virtual hosts? I defined 2 of them
service httpd start
Starting httpd: Warning: DocumentRoot [/home/wwww/sample1_com] does not exist
Warning: DocumentRoot [/home/www/sample2_com] does not exist
[Wed Sep 01 14:03:24 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]
service httpd start
Starting httpd: Warning: DocumentRoot [/home/wwww/sample1_com] does not exist
Warning: DocumentRoot [/home/www/sample2_com] does not exist
[Wed Sep 01 14:03:24 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]
Re: question about selinux and apache
Some people remove the dirs and rebuilt them.
I tried this and still does not work.
I even tried new names and updated the httpd.conf file to reflect that.
I tried this and still does not work.
I even tried new names and updated the httpd.conf file to reflect that.
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: question about selinux and apache
Have you tried a Wiki search on [url=http://wiki.centos.org/?action=fullsearch&context=180&value=selinux+httpd&fullsearch=Text]selinux httpd[/url]?
http://wiki.centos.org/TipsAndTricks/ApacheVhostDir
http://wiki.centos.org/HowTos/SELinux
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
http://wiki.centos.org/TipsAndTricks/ApacheVhostDir
http://wiki.centos.org/HowTos/SELinux
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans
Re: question about selinux and apache
[quote]
unix1adm wrote:
I found this link after some searching but I dont understand teh chcon command and dont want to munge my system.
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=2147&forum=31
ls -al --contex /home
drwxr-xr-x root root system_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:root_t ..
drwx------ root root system_u:object_r:file_t lost+found
drwxr-xr-x apache apache user_u:object_r:file_t www
[root@loxww35 audit]# ls -al --contex /home/www
drwxr-xr-x apache apache user_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:file_t ..
drwxr-xr-x apache apache user_u:object_r:file_t sample1_com
drwxr-xr-x apache apache user_u:object_r:file_t sample2_com
drwxr-xr-x apache apache user_u:object_r:file_t logs
I'm still reading up on it but not sure if what I am looking at is OK or not. It looks like apache.apache is the owner of the files OK..[/quote]
So I changed the contex using the chcon -R httpd_sys_content_t /home/www
Still getting the error on start up about no directory found.
Update:
I turned of Selinux and rebooted. Now when I run the service httpd start command I get only 1 error and its for the sample1_com dir not the sample2_com.
I dont like leaving SeLinux down but had to try it to see if it fixed my issue. Does not look like it did.
I did some reading about relabling the filesystems. Not sure if I should do that or not.
touch /.autorelabel
reboot
I have not does this yet.
unix1adm wrote:
I found this link after some searching but I dont understand teh chcon command and dont want to munge my system.
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=2147&forum=31
ls -al --contex /home
drwxr-xr-x root root system_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:root_t ..
drwx------ root root system_u:object_r:file_t lost+found
drwxr-xr-x apache apache user_u:object_r:file_t www
[root@loxww35 audit]# ls -al --contex /home/www
drwxr-xr-x apache apache user_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:file_t ..
drwxr-xr-x apache apache user_u:object_r:file_t sample1_com
drwxr-xr-x apache apache user_u:object_r:file_t sample2_com
drwxr-xr-x apache apache user_u:object_r:file_t logs
I'm still reading up on it but not sure if what I am looking at is OK or not. It looks like apache.apache is the owner of the files OK..[/quote]
So I changed the contex using the chcon -R httpd_sys_content_t /home/www
Still getting the error on start up about no directory found.
Update:
I turned of Selinux and rebooted. Now when I run the service httpd start command I get only 1 error and its for the sample1_com dir not the sample2_com.
I dont like leaving SeLinux down but had to try it to see if it fixed my issue. Does not look like it did.
I did some reading about relabling the filesystems. Not sure if I should do that or not.
touch /.autorelabel
reboot
I have not does this yet.
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
Re: question about selinux and apache
Does it work if you temporarily disable SELinux by "setenforce 0"?
Re: question about selinux and apache
Here's some commands for configuring SELinux for a webserver
(5-11 only if setroubleshoot isn't working in certain circumstances)
from my web server documentation project at http://jbirdz.info/centos.02.php:
Msg me there, be glad to help you.
3. SELinux Configuration
4. # vi /etc/sysconfig/selinux
SELINUX=permissive
5. # service auditd status
6. # service setroubleshoot status
7. # rm -fr /var/run/setroubleshoot.pid
8. # service setroubleshoot start
9. # service setroubleshoot status
10. Do that a few times until you get: setroubleshootd (pid xxxx) is running...
11. # genhomedircon
12. # touch /.autorelabel
13. # reboot
14. # sestatus
15. # service auditd status
16. # chcon -hvR --user=root /www
17. # chcon -hvR --type=httpd_sys_content_t /www
18. # semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
19. # chcon -hvR --type=mysqld_var_run_t /www/mysql
20. # semanage fcontext -a -t mysqld_var_run_t "/www/mysql(/.*)?"
21. # chcon -v --type=var_t /www
22. # semanage fcontext -a -t var_t /www
23. # setsebool -P ftp_home_dir=1
24. # setsebool -P httpd_enable_homedirs=1
25. # setsebool -P httpd_can_network_relay=1
26. # setsebool -P httpd_can_network_connect=1
27. # setsebool -P allow_ftpd_full_access=1
28. # setenforce Enforcing
29. If all is good with SELinux # vi /etc/sysconfig/selinux
SELINUX=enforcing
(5-11 only if setroubleshoot isn't working in certain circumstances)
from my web server documentation project at http://jbirdz.info/centos.02.php:
Msg me there, be glad to help you.
3. SELinux Configuration
4. # vi /etc/sysconfig/selinux
SELINUX=permissive
5. # service auditd status
6. # service setroubleshoot status
7. # rm -fr /var/run/setroubleshoot.pid
8. # service setroubleshoot start
9. # service setroubleshoot status
10. Do that a few times until you get: setroubleshootd (pid xxxx) is running...
11. # genhomedircon
12. # touch /.autorelabel
13. # reboot
14. # sestatus
15. # service auditd status
16. # chcon -hvR --user=root /www
17. # chcon -hvR --type=httpd_sys_content_t /www
18. # semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"
19. # chcon -hvR --type=mysqld_var_run_t /www/mysql
20. # semanage fcontext -a -t mysqld_var_run_t "/www/mysql(/.*)?"
21. # chcon -v --type=var_t /www
22. # semanage fcontext -a -t var_t /www
23. # setsebool -P ftp_home_dir=1
24. # setsebool -P httpd_enable_homedirs=1
25. # setsebool -P httpd_can_network_relay=1
26. # setsebool -P httpd_can_network_connect=1
27. # setsebool -P allow_ftpd_full_access=1
28. # setenforce Enforcing
29. If all is good with SELinux # vi /etc/sysconfig/selinux
SELINUX=enforcing
question about selinux and apache
[quote]unix1adm wrote:
So I changed the contex using the chcon -R httpd_sys_content_t /home/www[/quote]
Yes, you got the 'setsebool' and 'chcon' advice here: http://www.linuxquestions.org/questions/linux-software-2/question-about-selinux-and-apache-829783/#post4085197 :-]
[quote]unix1adm wrote:
Still getting the error on start up about no directory found. (..) I turned of Selinux and rebooted. Now when I run the service httpd start command I get only 1 error and its for the sample1_com dir not the sample2_com. [/quote]
...and like I said overthere, posting exact (error) messages and what source they originate from is far more useful and efficient than just [i]saying[/i] you've got some error. So. What does /var/log/messages say? And /var/log/audit/audit.log? Or setroubleshootd? And /var/log/httpd/*{access,error}*?
So I changed the contex using the chcon -R httpd_sys_content_t /home/www[/quote]
Yes, you got the 'setsebool' and 'chcon' advice here: http://www.linuxquestions.org/questions/linux-software-2/question-about-selinux-and-apache-829783/#post4085197 :-]
[quote]unix1adm wrote:
Still getting the error on start up about no directory found. (..) I turned of Selinux and rebooted. Now when I run the service httpd start command I get only 1 error and its for the sample1_com dir not the sample2_com. [/quote]
...and like I said overthere, posting exact (error) messages and what source they originate from is far more useful and efficient than just [i]saying[/i] you've got some error. So. What does /var/log/messages say? And /var/log/audit/audit.log? Or setroubleshootd? And /var/log/httpd/*{access,error}*?
Re: question about selinux and apache
Yes it does seem to work with SELinux off Thank you all for the info. Still working on this. I had a slight setback with a corrupted fs.
The error is listed in the first post but here it is again.
service httpd start
Starting httpd: Warning: DocumentRoot [/home/wwww/sample1_com] does not exist
Warning: DocumentRoot [/home/www/sample2_com] does not exist
[Wed Sep 01 14:03:24 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]
The error is listed in the first post but here it is again.
service httpd start
Starting httpd: Warning: DocumentRoot [/home/wwww/sample1_com] does not exist
Warning: DocumentRoot [/home/www/sample2_com] does not exist
[Wed Sep 01 14:03:24 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]