Results 1 to 7 of 7

Thread: Apache2 not working with selinux policy minimum

  1. #1
    Join Date
    Jun 2015
    Location
    Gensokyo
    Posts
    12

    Lightbulb Apache2 not working with selinux policy minimum

    I have set up an apache2 server on Leap 42.3, then enabled selinux with "selinux-policy-minimum-20140730-98.1"
    When apache2starting, there is a directory "/etc/apache2/sysconfig.d" created automatically. I have set the context manually with "semanage fcontext". So the status now is:

    Code:
    # ls -lZ /etc/apache2/
    
    ....
    drwxr-xr-x. 2 root root system_u:object_r:httpd_config_t:s0  4096 Aug  9 10:03 sysconfig.d
    ....
    
    # ls -lZ /etc/apache2/sysconfig.d/
    
    -rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0  238 Aug  9 10:10 global.conf
    -rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0   92 Aug  9 10:10 include.conf
    -rw-r--r--. 1 root root system_u:object_r:httpd_config_t:s0 1704 Aug  9 10:10 loadmodule.conf
    Start apache2 with "systemctl start apache2" and failed.

    Code:
    # journalctl -xe
    
    Aug 09 10:26:08 linux-9wtz systemd[1]: Starting Cleanup of Temporary Directories...
    -- Subject: Unit systemd-tmpfiles-clean.service has begun start-up
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit systemd-tmpfiles-clean.service has begun starting up.
    Aug 09 10:26:08 linux-9wtz systemd[1]: Started Cleanup of Temporary Directories.
    -- Subject: Unit systemd-tmpfiles-clean.service has finished start-up
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit systemd-tmpfiles-clean.service has finished starting up.
    --
    -- The start-up result is done.
    Aug 09 10:29:15 linux-9wtz systemd[1]: Starting The Apache Webserver...
    -- Subject: Unit apache2.service has begun start-up
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit apache2.service has begun starting up.
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//include.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 94: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 124: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 128: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 132: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 136: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 140: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:15 linux-9wtz start_apache2[1967]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1967]: AH00557: httpd-prefork: apr_sockaddr_info_get() failed for linux-9wtz
    Aug 09 10:29:16 linux-9wtz start_apache2[1967]: AH00558: httpd-prefork: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
    Aug 09 10:29:16 linux-9wtz start_apache2[1967]: (13)Permission denied: AH00091: httpd-prefork: could not open error log file /var/log/apache2/error_log.
    Aug 09 10:29:16 linux-9wtz start_apache2[1967]: AH00015: Unable to open logs
    Aug 09 10:29:16 linux-9wtz systemd[1]: apache2.service: Main process exited, code=exited, status=1/FAILURE
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//include.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 90: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 94: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 124: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 128: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 132: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 136: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 140: /etc/apache2/sysconfig.d//global.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: /usr/sbin/start_apache2: line 147: /etc/apache2/sysconfig.d//loadmodule.conf: Permission denied
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: AH00557: httpd-prefork: apr_sockaddr_info_get() failed for linux-9wtz
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: AH00558: httpd-prefork: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1. Set the 'ServerName' directive globally to suppress this message
    Aug 09 10:29:16 linux-9wtz start_apache2[1976]: httpd (no pid file) not running
    Aug 09 10:29:16 linux-9wtz systemd[1]: Failed to start The Apache Webserver.
    -- Subject: Unit apache2.service has failed
    -- Defined-By: systemd
    -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
    --
    -- Unit apache2.service has failed.
    --
    -- The result is failed.
    Aug 09 10:29:16 linux-9wtz systemd[1]: apache2.service: Unit entered failed state.
    Aug 09 10:29:16 linux-9wtz systemd[1]: apache2.service: Failed with result 'exit-code'.

    SELinux log: /var/log/audit/audit.log

    Could somebody give some tips? Thanks!

  2. #2
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: Apache2 not working with selinux policy minimum

    Quote Originally Posted by wnereiz View Post
    Could somebody give some tips? Thanks!
    Stop using SELinux and use AppArmor which is actually supported on openSUSE, has the tools and pre-made configurations ready you can adjust and allows doing exactly the same thing as SELinux except without the retarded configuration.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  3. #3
    Join Date
    Jun 2015
    Location
    Gensokyo
    Posts
    12

    Default Re: Apache2 not working with selinux policy minimum

    Quote Originally Posted by Miuku View Post
    Stop using SELinux and use AppArmor which is actually supported on openSUSE, has the tools and pre-made configurations ready ...
    Yes, I know. But I was required to do some tests with SELinux, and I have no choice

  4. #4
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: Apache2 not working with selinux policy minimum

    Quote Originally Posted by wnereiz View Post
    Yes, I know. But I was required to do some tests with SELinux, and I have no choice
    Who requires you to do it and for what reason?

    If you want to use SELinux, you should use CentOS and/or RHEL/Fedora where it's supported properly and has guides for it.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,268
    Blog Entries
    2

    Default Re: Apache2 not working with selinux policy minimum

    First,
    Make sure you've properly switched from AppArmor to SElinux.
    Then, make sure you've configured the proper mode you want to run. As you might imagine when first setting up a system you might want to configure "permissive" and only later switch to "enforcing." This is what is preventing your apache service from starting.

    The 42.3 documentation looks good, covering same material I've read for previous versions of openSUSE.
    It also includes the very important "Troubleshooting" section at the end which describes the procedure for addressing your issues.

    https://doc.opensuse.org/documentati...a.selinux.html

    If you have specific questions, post with detail... eg the steps you took to set up, the audit logfile and any Troubleshooting you attempted.

    With a bit of work, I'd expect you should be successful.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #6
    Join Date
    Jun 2015
    Location
    Gensokyo
    Posts
    12

    Cool Re: Apache2 not working with selinux policy minimum

    Quote Originally Posted by tsu2 View Post
    ...

    The 42.3 documentation looks good, covering same material I've read for previous versions of openSUSE.
    It also includes the very important "Troubleshooting" section at the end which describes the procedure for addressing your issues.

    https://doc.opensuse.org/documentati...a.selinux.html

    ...
    Solved! Thank you for the links of the document. It is really helpful.
    I checked "Troubleshooting" and found I didn't generated loadable module.

    Code:
    #audit2why -i /var/log/audit/audit.log
    
    ...
    type=AVC msg=audit(1502330706.498:468): avc:  denied  { append } for  pid=4025 comm="start_apache2" name="loadmodule.conf" dev="vda2" ino=1576484 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=0
    
            Was caused by:
                    Missing type enforcement (TE) allow rule.
    
                    You can use audit2allow to generate a loadable module to allow this access.
    ...
    Use audit2allow to generate from audit.log

    Code:
    # audit2allow -i /var/log/audit/audit.log -M apachemodule
    Then load it with semodule
    Code:
    # semodule -i apachemodule.pp
    
    # restorecon -Rp /
    Then start apache2
    Code:
    # systemctl start apache2
    It works now!

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,268
    Blog Entries
    2

    Default Re: Apache2 not working with selinux policy minimum

    Cool!
    And, of course many projects specify SElinux, possibly because whoever wrote the specifications never heard of AppArmor.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •