LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 02-09-2009, 01:19 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
[redhat enterprise server 4]Apache and SELinux


Moderator note: this might be in a completely inappropriate forum. If so, please move.

Someone asked me to have a look at a RHEL ES 4 server. The original problem description was that "apache does not want to serve text files". After I proved them wrong, the problem is that a browser receives a 403 error when one specific file is requested.

SELinux seems to cause the problem.

error
Code:
Feb  9 08:23:15 localhost kernel: audit(1234160595.716:0): avc:  denied  { getattr } for  pid=862 exe=/usr/sbin/httpd path=/var/www/html/iptvo.txt dev=dm-0 ino=507796 scontext=user_u:system_r:httpd_t tcontext=root:object_r:var_t tclass=file
dir listing
Code:
[wim@localhost html]$ ls -l *.txt
-rw-r--r--  1 root root 44226 Feb  6 13:55 iplab.txt
-rw-r--r--  1 root root 46050 Feb  6 14:48 iptvo2.txt
-rw-r--r--  1 root root 46050 Jan 15 15:14 iptvo.txt
[wim@localhost html]$
/etc/selinux/config
Code:
SELINUX=enforcing
SELINUXTYPE=targeted
What has been done:
  • other text files work (checked permissions)
  • tried to find something that refers to iptvo.txt in the apache config
  • grepped files in /etc/selinux/targeted for references to txt and iptvo
  • read up on SELinux, but could not find what I was looking for

I'm a bit reluctant at this moment to simply rename the file (copying the file to iptvo2.txt and requesting that file does not show the issue) as it might solve the issue without me understanding what is happening

Can somebody explain and point me in the right direction to solve the issue?

PS I'm not familiar with SELinux at all (work with Slackware servers normally).

Last edited by Wim Sturkenboom; 02-09-2009 at 01:52 AM. Reason: Added moderator note
 
Old 02-09-2009, 06:21 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
Try 'ls -lZ *.txt' instead? If other entities in that dir get served OK you prolly spot the difference...

I think "Feb 9 08:23:15 localhost kernel: audit(1234160595.716:0): avc: denied { getattr } for pid=862 exe=/usr/sbin/httpd path=/var/www/html/iptvo.txt dev=dm-0 ino=507796 scontext=user_u:system_r:httpd_t tcontext=rootbject_r:var_t tclass=file" loosely translates as "(the kernel) denied (a process with) context httpd_t (to) { getattr } (a) file (having) context var_t". Running any sealert messages or AVC through 'audit2allow' should return a line that could be expressed as
Code:
module myFirstLocalPolicyModule 0.1;

require {
	type httpd_t;
	type var_t;
	class file { read getattr };
}

allow httpd_t var_t:file getattr;
in policy language if you need to tweak a local policy, but it would be smarter (wrt consistency) to 'chcon' the file to the context of the other files in that dir. Since they're all webserver content that would be "httpd_sys_content_t".

Last edited by unSpawn; 02-09-2009 at 06:42 PM. Reason: //Try explaining it
 
Old 02-09-2009, 10:00 PM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Thanks unSpawn for the tip on ls -lZ as well as the command to change the context.

As reference for others
Code:
[root@localhost html]# ls -lZ *.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iplab.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iptvo2.txt
-rw-r--r--  root     root     root:object_r:var_t              iptvo.txt
[root@localhost html]#
Code:
[root@localhost html]# chcon root:object_r:httpd_sys_content_t iptvo.txt
[root@localhost html]# ls -lZ *.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iplab.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iptvo2.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iptvo.txt
[root@localhost html]#
 
  


Reply

Tags
apache, redhat, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
redhat enterprise linux 5.0 +apache+ssl kulg123 Linux - Networking 1 07-01-2008 01:33 AM
config selinux to run apache server rlee923 Linux - Software 3 03-16-2007 05:31 AM
where is redhat-config-bind? (RedHat enterprise server) Linux8 Linux - Newbie 1 12-17-2006 10:00 PM
Help with OCI8/PHP APACHE on Redhat enterprise AS 3.0 pdave Linux - Software 0 07-21-2004 10:12 AM
apache install problem- redhat enterprise einherjar Linux - Software 0 06-29-2004 07:54 PM


All times are GMT -5. The time now is 08:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration