FAQ
Apache DocumentRoot on an NFS directory:

[root at localhost ~]# service httpd start
Starting httpd: Warning: DocumentRoot [/home/www/html] does not exist
Syntax error on line 292 of /etc/httpd/conf/httpd.conf:
DocumentRoot must be a directory
[FAILED]
[root at localhost ~]#

After some research, I found this (dated) link

http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html

and followed the suggestion, setsebool -P use_nfs_home_dirs=1. But I still
can't start httpd. Not sure what to make of the audit log:

type=AVC msg=audit(1329395502.678:61926): avc: denied { search } for pid%674 comm="httpd" name="" dev=0:23 ino471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1329395502.678:61926): archÀ00003e syscall=4 success=no exit=-13 a0ef342bc080 a1ffaf747370 a2ffaf747370 a3ef30c65c30 items=0 ppid%673 pid%674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1329395502.681:61927): avc: denied { search } for pid%674 comm="httpd" name="" dev=0:23 ino471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1329395502.681:61927): archÀ00003e syscall=4 success=no exit=-13 a0ef342eae68 a1ffaf747630 a2ffaf747630 a3P items=0 ppid%673 pid%674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Search Discussions

  • Daniel J Walsh at Feb 16, 2012 at 8:18 am

    On 02/16/2012 07:35 AM, Lars Hecking wrote:
    type=AVC msg=audit(1329395502.678:61926): avc: denied { search }
    for pid%674 comm="httpd" name="" dev=0:23 ino471615
    scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL
    msg=audit(1329395502.678:61926): archÀ00003e syscall=4 success=no
    exit=-13 a0ef342bc080 a1ffaf747370 a2ffaf747370
    a3ef30c65c30 items=0 ppid%673 pid%674 auid=0 uid=0 gid=0
    euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
    comm="httpd" exe="/usr/sbin/httpd"
    subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC
    msg=audit(1329395502.681:61927): avc: denied { search } for
    pid%674 comm="httpd" name="" dev=0:23 ino471615
    scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL
    msg=audit(1329395502.681:61927): archÀ00003e syscall=4 success=no
    exit=-13 a0ef342eae68 a1ffaf747630 a2ffaf747630 a3P
    items=0 ppid%673 pid%674 auid=0 uid=0 gid=0 euid=0 suid=0
    fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd"
    exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0
    key=(null)
    Have you tried httpd_use_nfs?
  • Lars Hecking at Feb 16, 2012 at 8:28 am
    Have you tried httpd_use_nfs?
    Slam dunk. Thanks!

    Did this boolean exist before yesterdays kernel and selinux policy update?
    The setup was working until I rebooted.

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: not available
    Type: application/pgp-signature
    Size: 196 bytes
    Desc: not available
    Url : http://lists.centos.org/pipermail/centos/attachments/20120216/d199af68/attachment.bin
  • Daniel J Walsh at Feb 16, 2012 at 9:17 am

    On 02/16/2012 08:28 AM, Lars Hecking wrote:
    Have you tried httpd_use_nfs?
    Slam dunk. Thanks!

    Did this boolean exist before yesterdays kernel and selinux policy
    update? The setup was working until I rebooted.



    _______________________________________________ CentOS mailing
    list CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    I see this boolean in RHEL5 and RHEl6. So it has been there a while.
  • Bruce Martin at Mar 5, 2012 at 2:40 pm
    Lars Hecking <lhecking at ...> writes:
    Have you tried httpd_use_nfs?
    Slam dunk. Thanks!

    Can you be more specific on what file you edited and the syntax of the line
    you put in and/or edited?
    While I am able to start apache I am getting several errors in the log files
    that seem to be related to this.

    Bruce
  • Phil Savoie at Mar 5, 2012 at 4:01 pm

    On 03/05/2012 02:40 PM, Bruce Martin wrote:
    Lars Hecking <lhecking at ...> writes:
    Have you tried httpd_use_nfs?
    Slam dunk. Thanks!

    Can you be more specific on what file you edited and the syntax of the line
    you put in and/or edited?
    While I am able to start apache I am getting several errors in the log files
    that seem to be related to this.

    Bruce
    Without being able to see/read the OP's original question, some help for
    you.

    semanage boolean -l | grep httpd

    man -k _selinux

    Hope this helps a little...

    Phil
  • Benjamin Donnachie at Mar 5, 2012 at 4:16 pm

    On 5 Mar 2012, at 22:02, Phil Savoie wrote:

    Have you tried httpd_use_nfs?
    Without being able to see/read the OP's original question, some help for
    you.
    Try http://wiki.centos.org/TipsAndTricks/SelinuxBooleans instead.

    Ben
  • Phil Savoie at Mar 5, 2012 at 4:04 pm

    On 03/05/2012 02:40 PM, Bruce Martin wrote:
    Lars Hecking <lhecking at ...> writes:
    Have you tried httpd_use_nfs?
    Slam dunk. Thanks!

    Can you be more specific on what file you edited and the syntax of the line
    you put in and/or edited?
    While I am able to start apache I am getting several errors in the log files
    that seem to be related to this.

    Bruce
    Sent too quick... one more to help with avc denials

    sealert -a /var/log/audit/audit.log

    Here you will see the raw info of the denial and possible fixes.

    Phil
  • Lars Hecking at Mar 5, 2012 at 7:10 pm

    Bruce Martin writes:
    Lars Hecking <lhecking at ...> writes:
    Have you tried httpd_use_nfs?
    Slam dunk. Thanks!

    Can you be more specific on what file you edited and the syntax of the line
    you put in and/or edited?
    While I am able to start apache I am getting several errors in the log files
    that seem to be related to this.
    setsebool [-P] use_nfs_home_dirs=1

    setsebool [-P] httpd_use_nfs=1

    -P makes the settings permanent, which is probably what you want. Also useful
    is "getsebool -a".
  • James B. Byrne at Feb 16, 2012 at 12:13 pm

    On Thu, February 16, 2012 07:35, Lars Hecking wrote:
    Apache DocumentRoot on an NFS directory:

    [root at localhost ~]# service httpd start
    Starting httpd: Warning: DocumentRoot [/home/www/html]
    does not exist
    Syntax error on line 292 of /etc/httpd/conf/httpd.conf:
    DocumentRoot must be a directory
    [FAILED]
    [root at localhost ~]#

    After some research, I found this (dated) link

    http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html

    and followed the suggestion, setsebool -P
    use_nfs_home_dirs=1. But I still
    can't start httpd. Not sure what to make of the audit
    log:

    type=AVC msg=audit(1329395502.678:61926): avc: denied {
    search } for pid%674 comm="httpd" name="" dev=0:23
    ino471615 scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=system_u:object_r:nfs_t:s0 tclass=dir
    type=SYSCALL msg=audit(1329395502.678:61926):
    archÀ00003e syscall=4 success=no exit=-13
    a0ef342bc080 a1ffaf747370 a2ffaf747370
    a3ef30c65c30 items=0 ppid%673 pid%674 auid=0 uid=0
    gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0
    ses=2 comm="httpd" exe="/usr/sbin/httpd"
    subj=unconfined_u:system_r:httpd_t:s0 key=(null)
    type=AVC msg=audit(1329395502.681:61927): avc: denied {
    search } for pid%674 comm="httpd" name="" dev=0:23
    ino471615 scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=system_u:object_r:nfs_t:s0 tclass=dir
    type=SYSCALL msg=audit(1329395502.681:61927):
    archÀ00003e syscall=4 success=no exit=-13
    a0ef342eae68 a1ffaf747630 a2ffaf747630 a3P
    items=0 ppid%673 pid%674 auid=0 uid=0 gid=0 euid=0
    suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
    comm="httpd" exe="/usr/sbin/httpd"
    subj=unconfined_u:system_r:httpd_t:s0 key=(null)


    Try this:

    yum install policycoreutils-python setroubleshoot-server

    Now use the audit2allow and semanage utilities to tell you
    what SEbooleans to set or what to include in a custom
    policy. Information from 2010 is out of date for SELinux
    on CentOS-6, assuming that you are in fact running the
    latest version, much less stuff from 2005.

    HTH

    --
    *** E-Mail is NOT a SECURE channel ***
    James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
    Harte & Lyne Limited http://www.harte-lyne.ca
    9 Brockley Drive vox: +1 905 561 1241
    Hamilton, Ontario fax: +1 905 561 0757
    Canada L8E 3C3
  • Daniel J Walsh at Feb 16, 2012 at 12:22 pm

    On 02/16/2012 12:13 PM, James B. Byrne wrote:
    On Thu, February 16, 2012 07:35, Lars Hecking wrote:

    Apache DocumentRoot on an NFS directory:

    [root at localhost ~]# service httpd start Starting httpd: Warning:
    DocumentRoot [/home/www/html] does not exist Syntax error on line
    292 of /etc/httpd/conf/httpd.conf: DocumentRoot must be a
    directory [FAILED] [root at localhost ~]#

    After some research, I found this (dated) link

    http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html

    and followed the suggestion, setsebool -P use_nfs_home_dirs=1.
    But I still can't start httpd. Not sure what to make of the
    audit log:

    type=AVC msg=audit(1329395502.678:61926): avc: denied { search
    } for pid%674 comm="httpd" name="" dev=0:23 ino471615
    scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL
    msg=audit(1329395502.678:61926): archÀ00003e syscall=4
    success=no exit=-13 a0ef342bc080 a1ffaf747370
    a2ffaf747370 a3ef30c65c30 items=0 ppid%673 pid%674
    auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
    tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd"
    subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC
    msg=audit(1329395502.681:61927): avc: denied { search } for
    pid%674 comm="httpd" name="" dev=0:23 ino471615
    scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=system_u:object_r:nfs_t:s0 tclass=dir type=SYSCALL
    msg=audit(1329395502.681:61927): archÀ00003e syscall=4
    success=no exit=-13 a0ef342eae68 a1ffaf747630
    a2ffaf747630 a3P items=0 ppid%673 pid%674 auid=0 uid=0
    gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2
    comm="httpd" exe="/usr/sbin/httpd"
    subj=unconfined_u:system_r:httpd_t:s0 key=(null)


    Try this:

    yum install policycoreutils-python setroubleshoot-server

    Now use the audit2allow and semanage utilities to tell you what
    SEbooleans to set or what to include in a custom policy.
    Information from 2010 is out of date for SELinux on CentOS-6,
    assuming that you are in fact running the latest version, much less
    stuff from 2005.

    HTH
    Actually the combination of two booleans would have also allowed this
    access.

    tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
    fs_list_auto_mountpoints(httpd_t)
    fs_read_nfs_files(httpd_t)
    fs_read_nfs_symlinks(httpd_t)
    ')

    But if you are not allowing apache to look in users homedirs,
    httpd_use_nfs is more secure.
  • Les Mikesell at Feb 16, 2012 at 12:52 pm

    On Thu, Feb 16, 2012 at 11:13 AM, James B. Byrne wrote:


    Information from 2010 is out of date for SELinux
    on CentOS-6,


    I thought the whole point of enterprise distributions was to not have
    behavior changes for a major version release, which would, in fact have
    been in 2010 for the upstream copy.

    --
    Les Mikesell
    lesmikesell at gmail.com
  • Daniel J Walsh at Feb 16, 2012 at 5:52 pm

    On 02/16/2012 12:52 PM, Les Mikesell wrote:
    On Thu, Feb 16, 2012 at 11:13 AM, James B. Byrne
    wrote:

    Information from 2010 is out of date for SELinux on CentOS-6,


    I thought the whole point of enterprise distributions was to not
    have behavior changes for a major version release, which would, in
    fact have been in 2010 for the upstream copy.
    The data from 2010 is still current, but you need to change both booleans.
  • Bob Hoffman at Feb 16, 2012 at 3:52 pm
    *Lars Hecking* wrote

    ==========================================================pache DocumentRoot on an NFS directory:

    [root at localhost <http://lists.centos.org/mailman/listinfo/centos> ~]# service httpd start
    Starting httpd: Warning: DocumentRoot [/home/www/html] does not exist
    Syntax error on line 292 of /etc/httpd/conf/httpd.conf:
    DocumentRoot must be a directory
    [FAILED]
    [root at localhost <http://lists.centos.org/mailman/listinfo/centos> ~]#

    After some research, I found this (dated) link

    http://www.redhat.com/archives/rhl-list/2005-July/msg02443.html

    and followed the suggestion, setsebool -P use_nfs_home_dirs=1. But I still
    can't start httpd. Not sure what to make of the audit log:

    type=AVC msg=audit(1329395502.678:61926): avc: denied { search } for pid%674 comm="httpd" name="" dev=0:23 ino471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
    type=SYSCALL msg=audit(1329395502.678:61926): archÀ00003e syscall=4 success=no exit=-13 a0ef342bc080 a1ffaf747370 a2ffaf747370 a3ef30c65c30 items=0 ppid%673 pid%674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
    type=AVC msg=audit(1329395502.681:61927): avc: denied { search } for pid%674 comm="httpd" name="" dev=0:23 ino471615 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=dir
    type=SYSCALL msg=audit(1329395502.681:61927): archÀ00003e syscall=4 success=no exit=-13 a0ef342eae68 a1ffaf747630 a2ffaf747630 a3P items=0 ppid%673 pid%674 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
    ==================================================================
    /home/www/html does not exist.
    Whether redhat did this on purpose or by mistake, the directory should be
    /var/www/html.

    IT is not selinux, it is the wrong non existing directory in the httpd.conf file.

    oopsy on someone's part. Happened to me too...took me a while to see the installed
    conf file directory was the wrong folder path.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedFeb 16, '12 at 7:35a
activeMar 5, '12 at 7:10p
posts14
users8
websitecentos.org
irc#centos

People

Translate

site design / logo © 2021 Grokbase