question about selinux and apache

Support for security such as Firewalls and securing linux
unix1adm
Posts: 153
Joined: 2010/02/23 13:27:06

question about selinux and apache

Post by unix1adm » 2010/09/01 16:00:37

I just configured my apache on CentOS 5.5. It started up.
I then configured my VirtualHosts to have 2 definitions. Copied the example from the file for now.

Restarted the httpd process and I get this:

Starting httpd: Warning: DocumentRoot [/home/mysite] does not exist

I cd to the dir and a basic index.html file is there.

I googled the error and found the following...

"Edit /etc/sysconfig/selinux and change it to disabled then reboot."

Now my question is this:
Why would you want/need to disable selinux?
I want selinux enabled especially on a www server.

Should I disable/reboot then re-enable it?

Is this a 1 time deal?
None of the posts I read explained why you needed to disable it and if you could re-enable it.
I tried to go to the http://www.apache.org site and it says its not responding. So I cannot look thing sup there.
Thanx in advance.
CJ

unix1adm
Posts: 153
Joined: 2010/02/23 13:27:06

Re: question about selinux and apache

Post by unix1adm » 2010/09/01 18:17:23

I found this link after some searching but I dont understand teh chcon command and dont want to munge my system.

http://www.centos.org/modules/newbb/viewtopic.php?topic_id=2147&forum=31

ls -al --contex /home
drwxr-xr-x root root system_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:root_t ..
drwx------ root root system_u:object_r:file_t lost+found
drwxr-xr-x apache apache user_u:object_r:file_t www

[root@loxww35 audit]# ls -al --contex /home/www
drwxr-xr-x apache apache user_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:file_t ..
drwxr-xr-x apache apache user_u:object_r:file_t sample1_com
drwxr-xr-x apache apache user_u:object_r:file_t sample2_com
drwxr-xr-x apache apache user_u:object_r:file_t logs


I'm still reading up on it but not sure if what I am looking at is OK or not. It looks like apache.apache is the owner of the files OK..

unix1adm
Posts: 153
Joined: 2010/02/23 13:27:06

Re: question about selinux and apache

Post by unix1adm » 2010/09/01 18:27:31

I just noticed this too. I am wondering why it things there are not virtual hosts? I defined 2 of them

service httpd start
Starting httpd: Warning: DocumentRoot [/home/wwww/sample1_com] does not exist
Warning: DocumentRoot [/home/www/sample2_com] does not exist
[Wed Sep 01 14:03:24 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]

unix1adm
Posts: 153
Joined: 2010/02/23 13:27:06

Re: question about selinux and apache

Post by unix1adm » 2010/09/01 18:34:16

Some people remove the dirs and rebuilt them.
I tried this and still does not work.
I even tried new names and updated the httpd.conf file to reflect that.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: question about selinux and apache

Post by pschaff » 2010/09/02 15:35:38

Have you tried a Wiki search on [url=http://wiki.centos.org/?action=fullsearch&context=180&value=selinux+httpd&fullsearch=Text]selinux httpd[/url]?
http://wiki.centos.org/TipsAndTricks/ApacheVhostDir
http://wiki.centos.org/HowTos/SELinux
http://wiki.centos.org/TipsAndTricks/SelinuxBooleans

unix1adm
Posts: 153
Joined: 2010/02/23 13:27:06

Re: question about selinux and apache

Post by unix1adm » 2010/09/02 19:03:06

[quote]
unix1adm wrote:
I found this link after some searching but I dont understand teh chcon command and dont want to munge my system.

http://www.centos.org/modules/newbb/viewtopic.php?topic_id=2147&forum=31

ls -al --contex /home
drwxr-xr-x root root system_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:root_t ..
drwx------ root root system_u:object_r:file_t lost+found
drwxr-xr-x apache apache user_u:object_r:file_t www

[root@loxww35 audit]# ls -al --contex /home/www
drwxr-xr-x apache apache user_u:object_r:file_t .
drwxr-xr-x root root system_u:object_r:file_t ..
drwxr-xr-x apache apache user_u:object_r:file_t sample1_com
drwxr-xr-x apache apache user_u:object_r:file_t sample2_com
drwxr-xr-x apache apache user_u:object_r:file_t logs


I'm still reading up on it but not sure if what I am looking at is OK or not. It looks like apache.apache is the owner of the files OK..[/quote]

So I changed the contex using the chcon -R httpd_sys_content_t /home/www

Still getting the error on start up about no directory found.

Update:

I turned of Selinux and rebooted. Now when I run the service httpd start command I get only 1 error and its for the sample1_com dir not the sample2_com.

I dont like leaving SeLinux down but had to try it to see if it fixed my issue. Does not look like it did.

I did some reading about relabling the filesystems. Not sure if I should do that or not.

touch /.autorelabel
reboot

I have not does this yet.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: question about selinux and apache

Post by pschaff » 2010/09/02 19:17:42

Does it work if you temporarily disable SELinux by "setenforce 0"?

jfr8595
Posts: 11
Joined: 2010/07/17 05:14:55

Re: question about selinux and apache

Post by jfr8595 » 2010/09/03 04:14:46

Here's some commands for configuring SELinux for a webserver
(5-11 only if setroubleshoot isn't working in certain circumstances)
from my web server documentation project at http://jbirdz.info/centos.02.php:
Msg me there, be glad to help you.

3. SELinux Configuration

4. # vi /etc/sysconfig/selinux

SELINUX=permissive

5. # service auditd status

6. # service setroubleshoot status

7. # rm -fr /var/run/setroubleshoot.pid

8. # service setroubleshoot start

9. # service setroubleshoot status

10. Do that a few times until you get: setroubleshootd (pid xxxx) is running...

11. # genhomedircon

12. # touch /.autorelabel

13. # reboot

14. # sestatus

15. # service auditd status

16. # chcon -hvR --user=root /www

17. # chcon -hvR --type=httpd_sys_content_t /www

18. # semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?"

19. # chcon -hvR --type=mysqld_var_run_t /www/mysql

20. # semanage fcontext -a -t mysqld_var_run_t "/www/mysql(/.*)?"

21. # chcon -v --type=var_t /www

22. # semanage fcontext -a -t var_t /www

23. # setsebool -P ftp_home_dir=1

24. # setsebool -P httpd_enable_homedirs=1

25. # setsebool -P httpd_can_network_relay=1

26. # setsebool -P httpd_can_network_connect=1

27. # setsebool -P allow_ftpd_full_access=1

28. # setenforce Enforcing

29. If all is good with SELinux # vi /etc/sysconfig/selinux

SELINUX=enforcing

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

question about selinux and apache

Post by unspawn » 2010/09/03 06:53:56

[quote]unix1adm wrote:
So I changed the contex using the chcon -R httpd_sys_content_t /home/www[/quote]
Yes, you got the 'setsebool' and 'chcon' advice here: http://www.linuxquestions.org/questions/linux-software-2/question-about-selinux-and-apache-829783/#post4085197 :-]


[quote]unix1adm wrote:
Still getting the error on start up about no directory found. (..) I turned of Selinux and rebooted. Now when I run the service httpd start command I get only 1 error and its for the sample1_com dir not the sample2_com. [/quote]
...and like I said overthere, posting exact (error) messages and what source they originate from is far more useful and efficient than just [i]saying[/i] you've got some error. So. What does /var/log/messages say? And /var/log/audit/audit.log? Or setroubleshootd? And /var/log/httpd/*{access,error}*?

unix1adm
Posts: 153
Joined: 2010/02/23 13:27:06

Re: question about selinux and apache

Post by unix1adm » 2010/09/06 20:24:22

Yes it does seem to work with SELinux off Thank you all for the info. Still working on this. I had a slight setback with a corrupted fs.

The error is listed in the first post but here it is again.

service httpd start
Starting httpd: Warning: DocumentRoot [/home/wwww/sample1_com] does not exist
Warning: DocumentRoot [/home/www/sample2_com] does not exist
[Wed Sep 01 14:03:24 2010] [warn] NameVirtualHost *:80 has no VirtualHosts
[ OK ]

Post Reply