Thread: centos + apache + php-fcgi + vhost + chroot problem

hey folks,

i've got a little problem with the given topic. i followed the nixcraft tut "Red Hat / CentOS: Chroot Apache 2 Web Server, knowing that it was written for mod_php. i thought i could fix the rest, but obviously i can't, so i will need a little help from you guys.

Apache Error Log says:
[notice] SELinux policy enabled, httpd running as context root:system_r:unconfined_t:SystemLow-SystemHigh
[notice]suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[notice]ModSecurity for Apache/2.5.13 configured
[notice]mod_chroot: changed root to /httpjail
[ermerg](2) No such file or directory: mod_fcgid: Can't create share memory for size %zu byte

does anyone know how to fix this? do you need further information to help?

thx everyone.

Seems like SELinux related problem. See log file or disable the SELinux and try again.

hi raj,

thx for the advice. i tried it and actually it seems to be a selinux problem. do you know how to enable that module via selinux, so that i dont have to deactive it completely?

You will see an error message in /var/log/messages file related to selinux. Run sealert command to get information. Here is an example of the same from my /var/log/messages

Code:

Mar  5 19:23:45 p-www588 setroubleshoot: SELinux is preventing the http daemon from reading users' home directories. For complete SELinux messages. run sealert -l 009d348a-d6a1-4293-9fcb-0fec54c7a8f8

So you need to run

Code:

sealert -l 009d348a-d6a1-4293-9fcb-0fec54c7a8f8

sample outputs

Code:

Summary:

SELinux is preventing the http daemon from reading users' home directories.

Detailed Description:

SELinux has denied the http daemon access to users' home directories. Someone is
attempting to access your home directories via your http daemon. If you have not
setup httpd to share home directories, this probably signals a intrusion
attempt.

Allowing Access:

If you want the http daemon to share home directories you need to turn on the
httpd_enable_homedirs boolean: "setsebool -P httpd_enable_homedirs=1"

The following command will allow this access:

setsebool -P httpd_enable_homedirs=1

Additional Information:

Source Context                system_u:system_r:httpd_t
Target Context                root:object_r:home_root_t
Target Objects                lighttpd [ lnk_file ]
Source                        lighttpd
Source Path                   /usr/sbin/lighttpd
Port                          <Unknown>
Host                          p-www588.xxxxyyyzz.mil.in
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_enable_homedirs
Host Name                     p-www588.xxxxyyyzz.mil.in
Platform                      Linux p-www588.xxxxyyyzz.mil.in 2.6.18-238.5.1.el5 #1
                              SMP Mon Feb 21 05:52:39 EST 2011 x86_64 x86_64
Alert Count                   16
First Seen                    Sun Jan 23 11:56:43 2011
Last Seen                     Sat Mar  5 19:23:45 2011
Local ID                      009d348a-d6a1-4293-9fcb-0fec54c7a8f8
Line Numbers                  

Raw Audit Messages            

host=p-www588.xxxxyyyzz.mil.in type=AVC msg=audit(1299374625.218:23): avc:  denied  { read } for  pid=3845 comm="lighttpd" name="lighttpd" dev=sda2 ino=10551313 scontext=system_u:system_r:httpd_t:s0 tcontext=root:object_r:home_root_t:s0 tclass=lnk_file

host=p-www588.xxxxyyyzz.mil.in type=SYSCALL msg=audit(1299374625.218:23): arch=c000003e syscall=4 success=no exit=-13 a0=3e9f880 a1=7fffdfc8ee30 a2=7fffdfc8ee30 a3=7474682f7a69622e items=0 ppid=3741 pid=3845 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=system_u:system_r:httpd_t:s0 key=(null)

The above provides detailed error and solution too.