You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2004/12/07 02:58:19 UTC
[users@httpd] Re: http startup problem
On Mon, Dec 06, 2004 at 05:40:07PM -0800, Arthur Stephens wrote:
> I do not know if this a SELinux problem or httpd problem.
>
> Upgraded to the latest SELinux and now httpd fails with the following message
>
> Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied {
> unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0
> ino=228205 scontext=root:system_r:httpd_t
> tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail
> httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel:
> audit(1102392784.995:0): avc: denied { unlink } for pid=2006
> exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205
> scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
> tclass=file
>
> The httpd error log shows
> [Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005'
> Configuration Failed
To confirm, you are using the stock Fedora httpd and apr packages? Per
my previous mail, this really should only happen if you have configured
SSLMutex to something other than default setting of "default" in the
Fedora /etc/httpd/conf.d/ssl.conf. Can you double-check that?
Regards,
joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: http startup problem
Posted by Arthur Stephens <as...@ptera.net>.
So to get over the hump I used audit2allow to write an allow rule which I
put in local.te
Not the best I have been told but I need to move on...
Arthur Stephens
Senior Sales Technician
Ptera Wireless Internet
astephens@ptera.net
509-927-Ptera
----- Original Message -----
From: "Joe Orton" <jo...@redhat.com>
To: "Arthur Stephens" <as...@ptera.net>
Cc: <us...@httpd.apache.org>; "Fedora SELinux support list for users &
developers." <fe...@redhat.com>
Sent: Monday, December 06, 2004 5:58 PM
Subject: Re: http startup problem
> On Mon, Dec 06, 2004 at 05:40:07PM -0800, Arthur Stephens wrote:
> > I do not know if this a SELinux problem or httpd problem.
> >
> > Upgraded to the latest SELinux and now httpd fails with the following
message
> >
> > Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied {
> > unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0
> > ino=228205 scontext=root:system_r:httpd_t
> > tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail
> > httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel:
> > audit(1102392784.995:0): avc: denied { unlink } for pid=2006
> > exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205
> > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
> > tclass=file
> >
> > The httpd error log shows
> > [Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create
SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005'
> > Configuration Failed
>
> To confirm, you are using the stock Fedora httpd and apr packages? Per
> my previous mail, this really should only happen if you have configured
> SSLMutex to something other than default setting of "default" in the
> Fedora /etc/httpd/conf.d/ssl.conf. Can you double-check that?
>
> Regards,
>
> joe
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: http startup problem
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
Fedora Core 3 doesnt have SElinux enabled by default. Sometimes when you
upgrade, selinux gets activated, dont know why.
If you dont want to get rootkilled, secure your php, cgi's, use a decent
set of iptables rules, and keep updated the machine. (Selinux is good..
but you need to understand how it works first)
Arthur Stephens wrote:
> That does me no good. I moved to Fedora Core 3 for the secure linux. I am
> sick and tired of my servers being root-kitted.
> I want every level of security I can get to keep them $**&^@ out of my
> systems.
>
> ----- Original Message -----
> From: "Ivan Barrera A." <Br...@Ivn.cl>
> To: <us...@httpd.apache.org>
> Sent: Tuesday, December 07, 2004 9:23 AM
> Subject: Re: [users@httpd] Re: http startup problem
>
>
>
>>It seems it's a SElinux problem
>>put in /etc/sysconfig/selinux
>>SELINUX=disabled
>>
>>and rebooooot
>>
>>
>>Arthur Stephens wrote:
>>
>>>That has not been changed.
>>>Everything is as it is installed by the fedora core 3 installation disk
>>>except for the upgrade to the SElinux package.The httpd.conf file is
>
> copied
>
>>>over from the fedora core 2 install that I am trying to replace.
>>>
>>>----- Original Message -----
>>>From: "Joe Orton" <jo...@redhat.com>
>>>To: "Arthur Stephens" <as...@ptera.net>
>>>Cc: <us...@httpd.apache.org>; "Fedora SELinux support list for users &
>>>developers." <fe...@redhat.com>
>>>Sent: Monday, December 06, 2004 5:58 PM
>>>Subject: [users@httpd] Re: http startup problem
>>>
>>>
>>>
>>>
>>>>On Mon, Dec 06, 2004 at 05:40:07PM -0800, Arthur Stephens wrote:
>>>>
>>>>
>>>>>I do not know if this a SELinux problem or httpd problem.
>>>>>
>>>>>Upgraded to the latest SELinux and now httpd fails with the following
>>>
>>>message
>>>
>>>
>>>>>Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied {
>>>>>unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0
>>>>>ino=228205 scontext=root:system_r:httpd_t
>>>>>tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail
>>>>>httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel:
>>>>>audit(1102392784.995:0): avc: denied { unlink } for pid=2006
>>>>>exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205
>>>>>scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
>>>>>tclass=file
>>>>>
>>>>>The httpd error log shows
>>>>>[Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create
>>>
>>>SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005'
>>>
>>>
>>>>>Configuration Failed
>>>>
>>>>To confirm, you are using the stock Fedora httpd and apr packages? Per
>>>>my previous mail, this really should only happen if you have configured
>>>>SSLMutex to something other than default setting of "default" in the
>>>>Fedora /etc/httpd/conf.d/ssl.conf. Can you double-check that?
>>>>
>>>>Regards,
>>>>
>>>>joe
>>>>
>>>>---------------------------------------------------------------------
>>>>The official User-To-User support forum of the Apache HTTP Server
>
> Project.
>
>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server
>
> Project.
>
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: http startup problem
Posted by Arthur Stephens <as...@ptera.net>.
That does me no good. I moved to Fedora Core 3 for the secure linux. I am
sick and tired of my servers being root-kitted.
I want every level of security I can get to keep them $**&^@ out of my
systems.
----- Original Message -----
From: "Ivan Barrera A." <Br...@Ivn.cl>
To: <us...@httpd.apache.org>
Sent: Tuesday, December 07, 2004 9:23 AM
Subject: Re: [users@httpd] Re: http startup problem
> It seems it's a SElinux problem
> put in /etc/sysconfig/selinux
> SELINUX=disabled
>
> and rebooooot
>
>
> Arthur Stephens wrote:
> > That has not been changed.
> > Everything is as it is installed by the fedora core 3 installation disk
> > except for the upgrade to the SElinux package.The httpd.conf file is
copied
> > over from the fedora core 2 install that I am trying to replace.
> >
> > ----- Original Message -----
> > From: "Joe Orton" <jo...@redhat.com>
> > To: "Arthur Stephens" <as...@ptera.net>
> > Cc: <us...@httpd.apache.org>; "Fedora SELinux support list for users &
> > developers." <fe...@redhat.com>
> > Sent: Monday, December 06, 2004 5:58 PM
> > Subject: [users@httpd] Re: http startup problem
> >
> >
> >
> >>On Mon, Dec 06, 2004 at 05:40:07PM -0800, Arthur Stephens wrote:
> >>
> >>>I do not know if this a SELinux problem or httpd problem.
> >>>
> >>>Upgraded to the latest SELinux and now httpd fails with the following
> >
> > message
> >
> >>>Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied {
> >>>unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0
> >>>ino=228205 scontext=root:system_r:httpd_t
> >>>tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail
> >>>httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel:
> >>>audit(1102392784.995:0): avc: denied { unlink } for pid=2006
> >>>exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205
> >>>scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
> >>>tclass=file
> >>>
> >>>The httpd error log shows
> >>>[Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create
> >
> > SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005'
> >
> >>>Configuration Failed
> >>
> >>To confirm, you are using the stock Fedora httpd and apr packages? Per
> >>my previous mail, this really should only happen if you have configured
> >>SSLMutex to something other than default setting of "default" in the
> >>Fedora /etc/httpd/conf.d/ssl.conf. Can you double-check that?
> >>
> >>Regards,
> >>
> >>joe
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server
Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: http startup problem
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
It seems it's a SElinux problem
put in /etc/sysconfig/selinux
SELINUX=disabled
and rebooooot
Arthur Stephens wrote:
> That has not been changed.
> Everything is as it is installed by the fedora core 3 installation disk
> except for the upgrade to the SElinux package.The httpd.conf file is copied
> over from the fedora core 2 install that I am trying to replace.
>
> ----- Original Message -----
> From: "Joe Orton" <jo...@redhat.com>
> To: "Arthur Stephens" <as...@ptera.net>
> Cc: <us...@httpd.apache.org>; "Fedora SELinux support list for users &
> developers." <fe...@redhat.com>
> Sent: Monday, December 06, 2004 5:58 PM
> Subject: [users@httpd] Re: http startup problem
>
>
>
>>On Mon, Dec 06, 2004 at 05:40:07PM -0800, Arthur Stephens wrote:
>>
>>>I do not know if this a SELinux problem or httpd problem.
>>>
>>>Upgraded to the latest SELinux and now httpd fails with the following
>
> message
>
>>>Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied {
>>>unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0
>>>ino=228205 scontext=root:system_r:httpd_t
>>>tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail
>>>httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel:
>>>audit(1102392784.995:0): avc: denied { unlink } for pid=2006
>>>exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205
>>>scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
>>>tclass=file
>>>
>>>The httpd error log shows
>>>[Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create
>
> SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005'
>
>>>Configuration Failed
>>
>>To confirm, you are using the stock Fedora httpd and apr packages? Per
>>my previous mail, this really should only happen if you have configured
>>SSLMutex to something other than default setting of "default" in the
>>Fedora /etc/httpd/conf.d/ssl.conf. Can you double-check that?
>>
>>Regards,
>>
>>joe
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: http startup problem
Posted by Arthur Stephens <as...@ptera.net>.
That has not been changed.
Everything is as it is installed by the fedora core 3 installation disk
except for the upgrade to the SElinux package.The httpd.conf file is copied
over from the fedora core 2 install that I am trying to replace.
----- Original Message -----
From: "Joe Orton" <jo...@redhat.com>
To: "Arthur Stephens" <as...@ptera.net>
Cc: <us...@httpd.apache.org>; "Fedora SELinux support list for users &
developers." <fe...@redhat.com>
Sent: Monday, December 06, 2004 5:58 PM
Subject: [users@httpd] Re: http startup problem
> On Mon, Dec 06, 2004 at 05:40:07PM -0800, Arthur Stephens wrote:
> > I do not know if this a SELinux problem or httpd problem.
> >
> > Upgraded to the latest SELinux and now httpd fails with the following
message
> >
> > Dec 6 20:13:03 webmail kernel: audit(1102392783.654:0): avc: denied {
> > unlink } for pid=2005 exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0
> > ino=228205 scontext=root:system_r:httpd_t
> > tcontext=root:object_r:httpd_log_t tclass=file Dec 6 20:13:04 webmail
> > httpd: httpd startup succeeded Dec 6 20:13:04 webmail kernel:
> > audit(1102392784.995:0): avc: denied { unlink } for pid=2006
> > exe=/usr/sbin/httpd name=ssl_mutex.2005 dev=dm-0 ino=228205
> > scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_log_t
> > tclass=file
> >
> > The httpd error log shows
> > [Mon Dec 06 20:13:04 2004] [error] (17)File exists: Cannot create
SSLMutex with file `/etc/httpd/logs/ssl_mutex.2005'
> > Configuration Failed
>
> To confirm, you are using the stock Fedora httpd and apr packages? Per
> my previous mail, this really should only happen if you have configured
> SSLMutex to something other than default setting of "default" in the
> Fedora /etc/httpd/conf.d/ssl.conf. Can you double-check that?
>
> Regards,
>
> joe
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org