Re: Certbot error - SOLVED (?)

Sun, 23 Apr 2023 17:55:13 -0700 

Chris Adams wrote:
> Once upon a time, Mike Wright <nob...@nospam.hostisimo.com> said:
>> I don't understand how his logs are accessible to the web.  They are
>> not under the DocumentRoot.  error.log is above it and access.log is
>> next to it.  Is it somehow possible for a client to reach above / ?
> 
> I didn't look at the posted configs (I haven't run Apache in ages,
> switched to nginx), so I didn't know the DocumentRoot.  I just saw the
> directory path as /var/www/<domain>, which I've seen lots of people use
> as their DocumentRoot.

It looked odd to me as well.  Apparently, the SELinux policy
tries to help with such a configuration (though it wouldn't
match Patrick's).

Checking the labeling via `semanage fcontext -l` the
following patterns are in place (among many others for
/var/www/*):

SELinux fcontext            type        Context
===============================================
/var/www(/.*)?              all files   
system_u:object_r:httpd_sys_content_t:s0 
/var/www(/.*)?/logs(/.*)?   all files   system_u:object_r:httpd_log_t:s0 

Neither of these would match the log files in the
configuration posted earlier:

    <VirtualHost *:80>
        ServerName bree.org.uk
        ServerAdmin pocallag...@gmail.com
        DocumentRoot /var/www/bree.org.uk/html
        ErrorLog /var/www/bree.org.uk/error.log
        CustomLog /var/www/bree.org.uk/log/access.log combined
    </VirtualHost>

So while the logs wouldn't be served up by httpd as part of
the document root, they would both be denied by SELinux
AFAICT.

Putting them both under /var/www/bree.org.uk/logs/ would
help in that respect; though personally I'd put them under
/var/log/httpd unless I were running a web hosting service
or something¹.

¹ and if I'm ever running a web hosting service, I have
  likely lost my mind and should be ignored (more so than I
  am now, if that's possible).

-- 
Todd

Attachment: signature.asc
Description: PGP signature

_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to