Set up apache and the log path with SELinux

Set_up_apache_and_the_log_path_with_SELinuxDepending on your backup strategy you might run into difficulties backing up the entire /etc directory. Running a default installation of Apache on CentOS you will have the log directory of Apache linked from within the /etc/httpd/ directory. If your backup solution backed-up those as well, the backups would contain the logs and quickly become huge.

Changing the log path

Starting from the default configuration, it is very simple to replace “logs/” with the real path “/var/log/httpd/” without a symbolic link. After doing so, the link from /etc/httpd/ to the log directory is removed. The following commands will create a backup copy of the apache config files and then replace the original log path with the direct one. After that, the last command is removing the link from the /etc/httpd/ directory:

Advertisements
$ cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.original
$ cat /etc/httpd/conf/httpd.conf.original | sed 's/logs\//\/var\/log\/httpd\//' >/etc/httpd/conf/httpd.conf
$ cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.original
$ cat /etc/httpd/conf.d/ssl.conf.original | sed 's/logs\//\/var\/log\/httpd\//' >/etc/httpd/conf.d/ssl.conf
$ rm /etc/httpd/logs

Setup SSL certificates

After you have uploaded SSL certificate files and restarted the web-server you might run into the following error that prevents Apache from starting:

[Sun Sep 08 18:42:17 2013] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Sun Sep 08 18:42:17 2013] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun Sep 08 18:42:17 2013] [error] (13)Permission denied: Init: Can't open server certificate file /etc/cert/path/cert_filename.crt

These lines in the Apache error_log show that SELinux jumped in and blocked access to the certificate file. This is because you probably uploaded the file(s) first to one of your home directories and then moved them somewhere in the /etc directory. To correct the context of this file, execute the following command. This will set the context so Apache is allowed to access it:

$ restorecon -RvF /etc/cert/
restorecon reset /etc/cert/path/cert_filename.crt context unconfined_u:object_r:user_home_t:s0->system_u:object_r:etc_t:s0

If you start Apache now, it will start and access the certificate files as expected. The same issue might happen with uploaded content in the /var/www/html directory. To correct the SELinux context for the web-content as well, execute “restorecon” with the path to the web-content:

$ restorecon -RvF /var/www/html

Read more of my posts on my blog at http://blog.tinned-software.net/.

This entry was posted in Linux Administration, Security and tagged , , . Bookmark the permalink.