How to configure Suexec under Selinux for PHP FCGI?
On Fedora 17 I'm using the Apache HTTPD webserver to server some PHP files from within my home directory. Static html files are perfectly served, but the moment a .php file is accessed, a 500 internal server error is returned.
TLDR; How to tell Selinux that Suexec should be able to access
/var/log/httpd/suexec.log
?
[Mon Sep 17 12:07:48 2012] [error] [client 127.0.0.1] Premature end of script \
headers: index.php, referer: http://example.com/file.html
suexec failure: could not open log file
fopen: Permission denied
As this error message shows, suexec is not able to open it's log file (/var/log/httpd/suexec.log
).
Disabling Selinux (setenforce Permissive
) does prevent this problem to appear, this just as a note to show that this is triggered by Selinux. I'd like to solve the problem at it's root so to have a proper Selinux configuration working with Suexec instead of disabling Selinux.
I tried to troubleshoot the issue:
# auditd [1]
[1] enable auditd for sealert in the setroubleshoot package
Which brought me the troubleshoot tool under gnome with it's plugin suggestions. I followed one of those to gain more information about the issue:
# auditctl -w /etc/shadow -p w [2]
[2] more verbose output
Then reproducing the error again. With the following command I obtain a lot more information than:
# ausearch -m avc -ts recent
time->Mon Sep 17 12:07:48 2012
type=PATH msg=audit(1347876468.484:54): item=0 name="/var/log/httpd/suexec.log"
type=CWD msg=audit(1347876468.484:54): cwd="/var/www/php-fcgi-scripts/hakre"
type=SYSCALL msg=audit(1347876468.484:54): arch=c000003e syscall=2 success=no \
exit=-13 a0=7f7e560c6276 a1=441 a2=1b6 a3=238 items=1 ppid=5083 pid=5255 \
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 \
fsgid=48 tty=(none) ses=4294967295 comm="suexec" exe="/usr/sbin/suexec" \
subj=system_u:system_r:httpd_suexec_t:s0 key=(null)
type=AVC msg=audit(1347876468.484:54): avc: denied { dac_override } for \
pid=5255 comm="suexec" capability=1 \
scontext=system_u:system_r:httpd_suexec_t:s0 \
tcontext=system_u:system_r:httpd_suexec_t:s0 tclass=capability
As this shows, dac_override is denied. I'm now wondering if I should allow it for that specific file (/var/log/httpd/suexec.log
) and how:
# ls -Z /var/log/httpd/suexec.log
-rw-r--r--. root apache system_u:object_r:httpd_log_t:s0 /var/log/httpd/suexec.log
As this shows, the file does not have the same context (httpd_log_t
is not httpd_suexec_t
). Is this by intention? Or is it just because the logfile is placed into /var/log/httpd
and it is save to switch the context in this specific case here?