Fedora :: SELinux Context - Allow Apache's Http Daemon To Use Arp (for Getting Some Mac Addresses)
Apr 13, 2010
I'm working with Fedora and SELinux and am having a problem. I need to allow apache's http daemon to use arp (for getting some mac addresses). I have changed the type of the arp executable to httpd_sys_context_t but am still having an issue. Here is the messages log: Detailed Description:
I'm attempting to get MapServer running on my Fedora 13 computer. I was able to install with the package manager, and the executable (mapserv) was originally placed in /usr/sbin. But I need it in /var/www/cgi-bin to work on the webserver. So I copied the file to the right location. Unfortunately, it doesn't have the correct SELinux context. Here's the message from the troubleshooter:
SELinux denied access requested by /var/www/cgi-bin/mapserv. /var/www/cgi-bin/mapserv is mislabeled. /var/www/cgi-bin/mapserv default type is httpd_sys_script_exec_t, but its current type is httpd_sys_script_exec_t. Changing this file back to the default type, may fix your problem.
How's that for circular logic? Does anyone have an idea what the correct SELinux context for a cgi-bin executable might be?
I'm suspicious that the context of /etc/sudoers is wrong. During the last upgrade to Fedora 14, RPM dropped /etc/sudoers.rpmnew, which had a different context than the real sudoers file. But, when I try to get SELinux to relabel the file (using restorecon or fixfiles), it refuses to make a change.
SELinux is preventing /usr/sbin/httpd from using potentially mislabeled filesjk-runtime-status. SELinux has denied the httpd access to potentially mislabeled filesjk-runtime-status. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, httpd_tmp_t,
I know how to change the owner of a file and the permissions but what does it mean to change the file context?
I was setting up a Samba server and I ran into some problems with SELinux related to the context of the home directories. I made a user account, say "UserAccount", with a default home directory "home/UserAccount". Afterwards I realized that I needed to move the home directory of this particular user to another location, say "/home2/UserAccount". So I created the new directory, changed the permissions, and used Gnome's system-config-user to change the user's home directory.
I then set-up the Samba server, activated samba_run_unconfined and samba_enable_home_dirs in SELinux, and made an account for UserAccount. When testing the Samba account for UserAccount SELinux denied read access. I checked the context and the new home directory did not appeared to have been updated. I had to manually run:
restorecon -R -v /home2/UserAccount
to set the context on the new home directory. I'm not very familiar with SELinux, so my question is this: is this normal security policy or is a bug in the system-config-user tool? If it's normal policy can someone explain why? I'm always ready to learn Distro: Fedora 12 (kernel: 22.214.171.124-127.fc12.i686) System: Dual Intel Xeon @ 3.2 GHz, 1 GB RAM
I have al ready Fedora 11 [Leonidas], and when i did copy my old website to /var/www/html/wiki i had this problem trying [URL] : Forbidden You don't have permission to access /wiki/ on this server... i had to type this commands:
My Fedora box is giving me an SELinux security error:
SELinux is preventing the samba daemon from reading users' home directories.
SELinux has denied the samba daemon access to users' home directories. Someone is attempting to access your home directories via your samba daemon. If you only setup samba to share non-home directories, this probably signals an intrusion attempt. For more information on SELinux integration with samba, look at the samba_selinux man page. (man samba_selinux)
Allowing Access: If you want samba to share home directories you need to turn on the samba_enable_home_dirs boolean: "setsebool -P samba_enable_home_dirs=1"
I try to install IPsec-Tools on Slackware 13, but I get an configure error: configure: error: Security Context requested, bu no selinux support! Aborting. I'm linux newbie and I'm following a slackware-basics tutorial, I did as in the tutorial, but the configure stops and aborts:
I want to be able to created directories and upload files (images mostly) via a php web page. The directory structure is a throwback to windows and I really really don't want to have to change it because there are so many files/links already there.
/cust/cust_name/site/version/web (all html/php files go here)
I want to be able to edit the files with a 3rd party tool (SSH based). These are small orgs, like my church, local community club, sports team, etc., so file ownership needs to sync with the editor, not apache.
I have 2 web server in my office : http and https. You will find attached the httpd.conf and ssl.conf. I can acces the https server from home, but not the http one.
What I did : configure the router to forward port 80 to my fedora 11 machine open port 80 with system-config-network created a virtualhost
The same exact steps have been done for port 443
I can access both server locally but only the https server remotelly.
Here are my iptables :
you can try to acces my servers using [url]
I made httpd to listen to port 8080, and done all the port forwarding/opening stuf, and it works. so is it a bug ?
Finally found my error seams like turning off UseCanonicalName to off did the trick
I really think it's a bug now. It was definitively working last week, I just added content to the main host of my website, and now i can't acces it from port 80. If someone think it's not a bug or find someting missing/wrong in my conf file.
I am trying to setup my webserver and I am trying to make a website to run under suexec but somehow I cannot start my apache it directly fails and SELinux is giving me errors and don't really know what to do with it, it is giving me some command to type but not sure if this will make my server less secure. The SELinux error is as follow:
Code: Summary: SELinux prevented httpd reading and writing access to http files.
Detailed Description: SELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable content. it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts. Please refer to the man page "man httpd_selinux" or FAQ [URL] "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types.
Allowing Access: Changing the "httpd_unified" boolean to true will allow this access: "setsebool -P httpd_unified=1"
Fix Command: setsebool -P httpd_unified=1
I will write down how I did setup my server so maybe you can see a mistake I did. First I changed my Apache httpd.conf I added the following to it: Code: NameVirtualHost 192.168.1.2:80 <VirtualHost 192.168.1.2:80> ServerName localhost DocumentRoot /var/www/html DirectoryIndex index.html index.html index.shtml index.php </VirtualHost>
Then I created the username "ulyaoth" with the group "ulyaoth" as I specified with my suexec, then I created all the directories as specified in my httpd.conf and "chown ulyaoth:ulyaoth (dirname)" them to the right group and username.
You can find a list of all the booleans for SELinux (Fedora 10) using getsebool -a My question is, is there a reference online that describes each one. Most of obvious but it's one of those "I have to know because it's there situation).
I would like have a password for accessing my web site which works fine. I also want for the specific site to allow access only for a specific range of ips. Right now the following config should forbid my access, as my ip is different from 200.200.200.*
Code: # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, instead of the default. See also the <VirtualHost> # directive. Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses. #Listen 126.96.36.199:80 Listen 80
And when I try to start the server, I get the following
Code: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80. I did have an Apache web server up and running about 6 or 7 years ago - but seem to have lost everything
I have tried several places for help but I am getting no where...Here is my background.I have spent all weekend to replicate my development server back at home. I have an Apache remote server with 3 IP based virtual hosts pointing to
Now I have been able to set up a VM on my desktop, installed the OS, the applications, the db server, apache etc. Everything is looking good so far. So right now I have,
So when I go to 192.168.0.111, I go to [URL] so I guess apache is working aswell.What I want to do is, instead of going to [URL] I want to change it to another address such as a.me.add1How can I do this? I am looking through the virtual hosts section, I have changed server name entry etc but its not working.Can you tell me in big picture what I would need to do to set that up? My current set up doesnt really help me much once the site get the www address.tell me if Document Root of IP address 192.168.0.111 points to [URL] will it always resolve into that webaddress. That is if I enter 192.168.0.111 the browser will redirect it to [URL].
Dear all, I have system running LAMP and acting as a regular webserver.After running the setup for quite some months, I start having major issues:Symptoms:1. Applications do not respond neither from LAN nor WAN - SSH daemon, Apache, MySQL, FTP2. Network still seems to work for ping and port listeners3. Telnet is still successful for 21, 22, 80, 33064. Server has to be restarted manuallyTrying to find out the issue, I went through /var/log/ looking for major issues or warnings. But nothing seemed plausible to me to understand the issue - except I knew I was running out of disk space a few times.Not being able to identify nor replicate the issue, I replaced the hardware running 24x7 since quite a few years. Doing this, I migrated at the same time from OpenSUSE 10.1 to 11.3.The machine itself is behind a firewall and only the above mentioned standard ports are accessible
I'm trying to modify an existing user so that any files they create can be at least read (although writing and execution would be nice) by any other user. The reason is because I need the daemon running my Apache server to be able to access files created by a daemon running under this user, files which will be created and accessed in real-time.
I installed LAMPP a couple of weeks ago and was working fine. Today when I try to start lampp, it will only start MySql and ProFTPD. It says "XAMPP: Another web server daemon is already running." How can I find out where this other server is located and stop it?
I did a wget on the source and built the apache binaries correctly. Now what do I need to do to get some documents accessible using HTTP (start some services?)? Also, do I need to group all the files I want to make accessible in some directory and make the directory and its contents accessible or can I just make the individual documents available? I will be providing these links to my colleagues and do not want them to be down, so need to make sure that the apache services are up automatically after a reboot. Does apache have some inbuilt support for this?
I am new to web server support. I have a request from my management to modify the logging slightly. Effectively I need to redirect a custom string from our http response into the apache access logs. When a user navigates to our site they receive a "dye" number that is associated with them. This number follows them to whatever cluster they are directed too. The string is formatted as such, com-company-dye: d0a2#6dfce. I need that that header dye to appear in the access logs so we can use that dye number as a key for troubleshooting issues though out our various monitoring systems.
Fedora 14. I have Apache HTTP Server installed and running fine. I am interested in doing some java servlet pages. Am I correct that in addition to the above I need to install another server - for example Tomcat - that knows how to process java servlets? I see that yum has tomcat. And that Tomcat is not an add on to the HTTP Server, but an alternative to it? i.e I start one or the other?
I've had a VPS running Ubuntu 9.10 x64 server, hosting 3 websites of mine for a few months now. This problem has been happening for a while. Every once in a while, probably every 2 or 3 days, I'll wake up in the morning, and apache won't be responding, no web pages will load. /etc/init.d/apache2 status, reports that apache is functioning properly. Every time I simply have to restart the daemon and things run fine for another few days.
I thought maybe it was a memory issue, so I lowered the MaxClients in the prefork module from 50 to 30 a few days ago, but the same thing is still happening. My VPS has 512MB of ram, burstable to 1GB, and according to Virtuozzo, there was only one night of high traffic where I even came close to that soft limit. I've checked my syslog, and there's absolutely nothing in there about apache. I've checked apache's error.log as well, and there's nothing in there that would indicate a problem either.
How to best manage both http and https pages on the same apache-server without conflicts. For example, if i have both 000-default.conf and 000-default-ssl.conf pointing to mydomain.com, and don't want users who visit mydomain.com without specifically type the https-prefix to be redirected to the https-page - how to handle users using browserplugins such as https-everywhere etc?
Another option would be to create a subdomain ssl.mudomain.com and have users who want to reach the ssl site to have to type ssl. I have tested several things with https everywhere enabled in my own browser, and it seems really hard to make this working the way i want, in one way or another i always end up getting redirected to the ssl-site automatically.
The reason i need this to work is because i run one site that i don't care much about SSL, that is the "official" part of that site, and i also host some things for friends and family on the SSL-part. This would not have been a problem if it wasn't that i use self-signed certificates for my ssl-site and the major user become afraid when a certificate-warning pops up in their browser and therefor leave the site.
I have tftpd-hpa and dhcp3-server up and running. I just want to install server edition via network, from the host machine (my laptop, running ubuntu 9.10) with an ISO file (ubuntu 8.04 32-bit server edition). I managed to boot the client machine with pxe-netboot technique, but instead downloading all the files from internet, I need to do this process directly from ISO. To transfer ISO from host to client, I also installed Apache. I unpacked ISO file into /var/lib/tftpboot/server/. I created a link to the Apache root: /var/www
Code: ubuntu@ubuntu:/var/www$ ls returns => index.html server server folder is the place where I unpacked the ISO.
My dhcp3-server has this setup and it works well with netboot, but I don't know how to add Apache to the formula to transfer the iso file from host to client. Firewall is disabled. This is my edited /etc/dhcp3/dhcpd.conf file.
When I pxe-boot the client, the process comes to a halt when tftp server is trying to access to pxelinux.0 file. I got thls error: PXE-T00: Permission denied PXE-E36: Error received from TFTP server I have no experience with Apache... so I think there is a problem with my IP addresses.. Do I need to use 127.0.1.1 instead of 192.168.2.1 (my routers IP)?
A Linux (CentOS5.3) server is setup with apache reverse proxy. The reverse proxy server is opened to outside and an internal server is mapped to ProxyPass configuration. SSL certificate is also installed on the Apache reverse proxy server. The problem is, it is extremely slow in serving http requests through reverse proxy. There is no problem with server resources or bandwidth. When the internal server is directly accessed through Internet, there is no delay. The backend server and the reverse proxy server are also on the same switch (same subnet). When I searched the Net, there were recommendations to enable cache in Apache. I did so as follows in httpd.conf.