Centos 7 – Won’t Boot After Yum Update, SELinux Problem (DigitalOcean)

Today, as I was updating my droplet in DigitalOcean. I encounter a problem that almost last an hour, making my website inaccessible to the public. The problem is when I tried to update my server, using yum update.

Then, there was an error popping up when you restart your server saying:

AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using ::1. Set the 'ServerName' directive globally to suppress this message.

I thought, this was the culprit of the error – but it’s not.

When, you’re going deep to this problem –  checking the /var/log/httpd/error_log file, you will discover an error saying:

(13) Permission denied: AH00091: httpd: could not open error log file /var/log/gamingph-error.log. AH00051: Unable to open logs.

You’ll probably solution comes to your mind is the write permission of the file. Either by fixing it with chown, chmod and etc. Well, that’s not the case here. The culprit is the SELinux in which it is very strict with file access to your log files.

Some other people remedies is by disable the SELinux and the error won’t come up. Disadvantage of it is, it will make your server not so secure.

How to fix without disable SELinux?

Well, here is it how to fix. This is actually documented on it’s official website. So I’ll show you how.

To troubleshoot the problem, you have to see what are the process SELinux is denying. You have to run the audit2allow.

audit2allow -a

This will show all the list of SELinux has been blocked since your server is running. Example output:

#=================== httpd_t ====================
allow httpd_t httpd_log_t:file unlink;

$!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:dir write;

$!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;
allow httpd_t var_log_t:file open;

Based on the output, the last suggestion was the culprit of the problem. To show more details of the error. You can do grep to expand it.

grep '{ open }' /var/log/audit/audit.log

This will output all the details.

type=AVC msg=audit(1526052741.062:396074): avc:  denied  { open } for pid=1597 comm="httpd" path="/var/log/gamingph-error.log" dev="vda1" ino=8951259 scontext=system_u:system_r:httpd_t:s0 tcontext=system_uj:object_r:var_log_t:s0 tclass=file

The problem is in the error file that your httpd apache is unable to access it.

To fix it, let’s create a SELinux policy package that we can run to fix the error. We have to use grep in order to sort out the error to the open file issue with var_log_t file.

grep '{ open }' /var/log/audit/audit.log | audit2allow -a -M certnamepolicy

It will now create a pp file and what you have to do is activate it.

semodule -i certnamepolicy.pp

That’s it! The error should be gone now. Just restart your apache and your site should be working!

Bonus! You may also fixed the execmem issue by enabling it. Or doing the same above, replacing the { open } with { execmem }

setsebool -P virt_use_execmem 1

Leave a Comment

trabzon escort yalova escort Samsun escort izmit escort nazilli escort