RHEL: selinux blocking blocking to start kickstart - rhel5

I am having issue when I select a kick start profile to start installation after PXE boot. On the network installation server (same DHCP server) side I can see the following error in /var/log/messages when I hit this issue.
Nov 13 17:42:30 desktop10 dhcpd: DHCPDISCOVER from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:30 desktop10 dhcpd: DHCPOFFER on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: Dynamic and static leases present for 192.168.174.2.
Nov 13 17:42:32 desktop10 dhcpd: Remove host declaration desktopy or remove 192.168.174.2
Nov 13 17:42:32 desktop10 dhcpd: from the dynamic address pool for 192.168.174/24
Nov 13 17:42:32 desktop10 dhcpd: DHCPREQUEST for 192.168.174.2 (192.168.174.10) from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: DHCPACK on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 in.tftpd[20546]: tftp: client does not accept options
Nov 13 17:42:36 desktop10 setroubleshoot: SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (httpd_sys_content_t). For complete SELinux messages. run sealert -l 97c61847-7ea2-435f-bede-c95302b034f5**
On server the the selinux security contents
[root#desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
Note: desktop10 is RHEL5.6, if I change selinux to permissive then I can proceed with installation.
Can someone help me to sort out this issue? Please let me know if anyone need more info.
Tried as suggested in the comment but no luck
[root#desktop10 ~]# restorecon -Rv /tftpboot/
[root#desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz

Your files are labeled by 'httpd_sys_content_t' that is not acceptable label for kickstart. It looks you copied the file from an apache directory or you create the file from a web appliaction running on apache.
Relabel directory by default labels:
[root#localhost /]# restorecon -Rv /tftpboot

I think it may work if you try to relabel the directory with tftpd context tftpd_rw_t:
# semanage fcontext -a -t tftpd_rw_t '/tftpboot(/.*)?'
# restorecon -R -v /tftpboot

Related

Failed to start The Apache HTTP Server on ubuntu 18.04

I am trying to create a web server on my ubuntu 18.04 so i installed Apache2
but i can't start it.
Here's what appeared when i run the systemctl status apache2.service command
apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Sat 2020-02-22 13:58:09 CET; 34s ago
Process: 2791 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Feb 22 13:58:09 moemen apachectl[2791]: AH00558: apache2: Could not reliably determine the server's
Feb 22 13:58:09 moemen apachectl[2791]: (98)Address already in use: AH00072: make_sock: could not b
Feb 22 13:58:09 moemen apachectl[2791]: (98)Address already in use: AH00072: make_sock: could not b
Feb 22 13:58:09 moemen apachectl[2791]: no listening sockets available, shutting down
Feb 22 13:58:09 moemen apachectl[2791]: AH00015: Unable to open logs
Feb 22 13:58:09 moemen apachectl[2791]: Action 'start' failed.
Feb 22 13:58:09 moemen apachectl[2791]: The Apache error log may have more information.
Feb 22 13:58:09 moemen systemd[1]: apache2.service: Control process exited, code=exited status=1
Feb 22 13:58:09 moemen systemd[1]: apache2.service: Failed with result 'exit-code'.
Feb 22 13:58:09 moemen systemd[1]: Failed to start The Apache HTTP Server.
I'm new at this can you please help me
I also faced same problem.
First check
$ sudo systemctl status nginx
If nginx is active then stop this with
$ sudo systemctl stop nginx
then again try to start apache2 server in different terminal.
first remove apache2
sudo apt-get --purge remove apache2
sudo apt-get autoremove
after that if there files (.conf) /etc/sites-available remove them using
rm example.com.conf
then install again
sudo apt-get install apache2
now it will fixed
check it now
sudo ufw allow 'Apache'
sudo systemctl status apache2
Let me give a more general answer than the first 2. One possible problem with Apache is, when we try to run it, it may fail because port 80 is used by another software:
a common case is nginx which is covered by Devashish Mishra
in my case it was a server app that I deployed (in node.js, I had to tell pm2 to stop it)
in general, you may want to find what uses port 80. This may be done like Chi.C.J.Rajeeva Lochana has suggested: install netstat if you don't have it (sudo apt install net-tools), use it: sudo netstat -antup | grep 80. It will show some lines which may include :::80 or <your IP>:80 which will tell what is listening to the port
Once you've found what listens to the 80 port, you have to decide what to do with it. For instance, if that's nginx and you don't use it, you may go like Devashish Mishra has suggested: just stop it (sudo systemctl stop nginx). Likewise, you can stop or kill (sudo killall -9 program-name) other programs. However, if you need them, you'll also need to further configure Apache and rerun them (the exact steps highly depend on the case).
Please read this carefully.
Perform the following command, and if you see it is apache, then do the following below the command.
Note: You need to install the net-tools package before you could run netstat. Run sudo apt install net-tools to install it.
sudo netstat -antup | grep 80
You should check the line with something like <Your IP>:80.
Please note that this might also happen when you uninstall Apache when it is running.
The command could be:
sudo killall -9 program-name
Replace program-name with the program's name if the program running on port 80 is not stoppable. Let me know it it doesn't work.
Thanks.
I found this problem and was able to solve it by creating a folder /var/log/apache2, I checked in the /var/log/ folder, it turns out that there is no apache2 folder, just like in the case of mysql that won't start.
seen from your log that
Feb 22 13:58:09 moment apachectl[2791]: AH00015: Unable to open logs
maybe this will help
On your terminal.
Type: sudo stop /etc/init.d/apache2
The response will be:
Stopping apache2 (via systemctl): apache2.service.
Now start the server:
sudo /opt/lampp/lampp start
If you installed lamp correctly this should work

boot2docker windows 10, unable to access container via browser

I am trying to use docker on Windows 10 via boot2docker and VB.
boot2docker ssh
boot2docker ip => 192.168.59.103
docker run -tip 80:80 tutum/apache-php bash
ping 192.168.59.103 from host machine
It is sounds working pretty good exepts :
via the browser, when I go to http://192.168.59.103 the page is not found
Do you have some idea about my issue ?
Thanks.
Edit : my logs
docker#boot2docker:~$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ecb75ba8f5f9 tutum/apache-php "/run.sh" 20 minutes ago Up 20 minutes 0.0.0.0:80->80/tcp ecstatic_galileo
docker#boot2docker:~$ docker logs ec
==> /var/log/apache2/access.log <==
==> /var/log/apache2/error.log <==
==> /var/log/apache2/other_vhosts_access.log <==
==> /var/log/apache2/error.log <==
[Mon Aug 17 10:18:25.361931 2015] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.11 configured -- resuming normal operations
[Mon Aug 17 10:18:25.363857 2015] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
docker#boot2docker:~$
You've told the container to run a bash shell, not a web server.
Try changing the run command to:
docker run -d -p 80:80 tutum/apache-php
Then accessing the URL. The should run the default command for the container, which will presumably start apache. In your case you overrode the default command to be "bash", which won't start apache.

Apache not starting LAMP

I have successfully started an AWS instance. I can connect with Putty and also
with WinSCP. I have ports 80 and 443 open and SSH port 22. I have installed LAMP successfully: Apache seems to start OK on the server:
[ec2-user ~]$ chkconfig --list httpd
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
but when I go enter the public DNS address on the browser it gets timed out!
I also get this report from:
[ec2-user ~]$ ls -l /var/www
total 20
drwxrwsr-x 2 root www 4096 Mar 18 20:24 cgi-bin
drwxrwsr-x 3 root www 4096 Apr 16 21:41 error
drwxrwsr-x 2 root www 4096 Apr 16 22:32 html
drwxrwsr-x 3 root www 4096 Apr 16 21:41 icons
drwxrwsr-x 2 root www 4096 Apr 16 21:41 noindex
[ec2-user#ip-172-31-24-2 ~]$ ^C
[ec2-user#ip-172-31-24-2 ~]$
I'm totally new to this so any help much appreciated!
I'm using a Windows 7 machine and the AWS instance is linux.
Can you please send "sudo netstat -nltp". You also said 80 and 443 is open, are these opened via security groups, right?
The first thing to check when a browser times out is the Security Group. Do you have a rule in your instance's security group that will authorize traffic to TCP Port 80 and / or TCP port 443 ?
If this is correct and SSH connectivity to the instance is OK too (it rules out networking issues), then I would check if your Apache server is actually running. Nothing from the command output shared in your question actually proof Apache is running. Type ps ax | grep http to verify http daemon is running or not. Also type netstat -tnlp as suggested in another reply to very http process is actually listening on port TCP 80 or TCP 443
Seb

(13)Permission denied: access to /~me denied

I am trying to configure Apache httpd.conf (on my CentOS 6.4) to allow access to my user directory (i.e. ~me/public_html/index.html).
I changed the original httpd.conf (i.e. out-of-the-box) as follows:
[root#myhost www]# diff /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig.out-of-the-box
366c366
< #UserDir disabled
---
> UserDir disabled
373c373
< UserDir public_html
---
> #UserDir public_html
This should in principle provide access to http://myhost/~me but instead, I am getting the dreaded error:
You don't have permission to access /~me on this server.
I checked the file /var/log/httpd/error_log and, sure enough, it reads:
(13)Permission denied: access to /~me denied
The first weird thing I noticed is that a / is prepended to ~me.
Where does that leading / come from?
Is it only a "red herring"?
Or is this pointing to the root cause of the problem (i.e. something else I need to modify in httpd.conf)?
Most importantly, since I know that my ~me/public_html is has world-readable permissions, how do I troubleshoot a problem like this?
Is there a way to find out why "access to /~me denied"?
SELinux?
httpd.conf?
directory permissions?
all of the above?
Update 1, answering the 2 questions in the comments by #UlrichSchwarz below:
The home directory does seem to have the 'x' permission:
[root#myhost ~]# ls -lad /home/me
drwxr-xr-x. 33 me me 4096 Feb 8 16:30 /home/me
SELinux info on public_html:
[root#myhost ~]# ls -Z -d /home/me/public_html/
drwxrwxr-x. me me unconfined_u:object_r:file_t:s0 /home/me/public_html/
Update 2, after I verified that this is indeed an SELinux issue (thanks to the tip by #Scolytus):
I ran the command:
chcon -R -t httpd_user_content_t /home/me/public_html/
Still no go.
[root#myhost ~]# ls -Z -d /home/me/public_html/
drwxrwxr-x. me me unconfined_u:object_r:httpd_user_content_t:s0 /home/me/public_html/
Then I ran "Allow HTTPD to read home directories" from the command line:
setsebool -P httpd_enable_homedirs=1
Still no go.
/var/log/httpd/error_log now shows (in addition to the (13)permission denied error) the following:
[notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
[notice] Apache/2.2.15 (Unix) DAV/2 configured -- resuming normal operations
Perhaps the problem lies in the discrepancy between context_system_u and httpd_user_content_t?
What else do I need to do? (without disabling SELinux completely, that is)
Update 3, thanks to information in #lserni's answer, I discovered the ausearch command:
ausearch -m avc --start today
Which provided the following output:
time->Fri Jul 4 09:16:44 2014
type=SYSCALL msg=audit(1404479804.256:1312): arch=40000003 syscall=196 success=no exit=-13 a0=12c2c80 a1=bfeb1d00 a2=a34ff4 a3=2008171 items=0 ppid=5880 pid=5886 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=193 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1404479804.256:1312): avc: denied { getattr } for pid=5886 comm="httpd" path="/home/me" dev=dm-3 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Huh? Why /home/me and not /home/me/public_html?
Here is the output of ls -Zd /home/me/:
drwxr-xr-x. me me system_u:object_r:file_t:s0 /home/me/
Should I run the chcon -t httpd_user_content_t on /home/me, too?
Continuing to research...
Update 4: Success!
I ran the command:
chcon -t httpd_user_content_t /home/me/
And all is well now.
[root#myhost sa]# ls -Z -d /home/me/
drwxr-xr-x. me me system_u:object_r:httpd_user_content_t:s0 /home/me/
I've seen a slightly different version of the command you gave, supplied by sealert:
SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different
program. If you would like to share /var/www/html/file1 from httpd
also, you need to change its file context to public_content_t. If
you did not intend to this access, this could signal a intrusion
attempt.
Allowing Access:
You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'
Fix Command:
chcon -t public_content_t '/var/www/html/file1'
how do I troubleshoot a problem like this?
Most SELinux-related information is generally in the auditd logs, but you probably want some tool such as sealert to decode it for you. I've done a brief search and came up with this tool that I didn't know of, but seems interesting: SELinux GUI.
Addendum: Some examples with semanage
I can't check immediately, but I recall that commenting out the UserDir disabled isn't the same as enabling!
More specifically, I think you need to include a line in your https.conf file
Userdir enabled me

apache cannot access public_html on CIFS

I have my computer on network, and whole homedir is mounted at login with CIFS. When I access http://localhost everything works fine, but when I access http://localhost/~user it fails.
# cat /etc/mtab
.....
//192.168.1.5/user/ /home/user cifs rw,mand 0 0
ls -l
...
drwxrwxrwx 37 user domain users 0 2011-12-22 09:12 public_html
The browser say:
Forbidden
You don't have permission to access /~lluisforns on this server.
And apache say
cat /var/log/apache2/error.log
[Thu Dec 22 18:19:09 2011] [error] [client 127.0.0.1] (13)Permission denied: access to /~lluisforns denied
Any idea?
Had the same issue, and it turned out to be an SELinux thing: SELinux has a setting that prevents httpd (apache) to follow CIFS links.
To see if you have this issue:
getsebool -a | grep httpd
you should see httpd_use_cifs --> on. if not, your in luck - this is your problem.
To fix:
setsebool httpd_use_cifs on
You may also decide to disable SELinux altogether (assuming you know the risk) - here is a link to one relevant page