Why can't apache create log files?

apache-2.2 centos file-permissions

Solution 1

I had the same problem just now. @Tim Alexander pointed me in the right direction. Disabling selinux temporarily proved the problem to be with selinux configuration.

So after googling a bit more, I found a suggestion that basically said to make sure to replicate whatever selinux configuration is on /var/www/html on the virtual host directory.

First thing I did, was to reiterate a selinux issue on configuration files I had every now and then, which I blogged about here: http://blog.ciuly.com/my-server/apache-on-linux-could-not-open-configuration-file-permission-denied/

But that wasn't the problem. However, I went into /var/www and issues "ls -Z" which showed

drwxr-xr-x. root      root system_u:object_r:httpd_sys_content_t:s0 html

so all I did now was to

chcon -R system_u:object_r:httpd_sys_content_t:s0 /www/

and refreshing the browser now correctly showed the site index, but still had the "cannot open log file" error in error_log.

I then made a good read (again) through https://wiki.centos.org/HowTos/SELinux

A good idea to run, at this point, is

sealert -a /var/log/audit/audit.log

Although the wiki does say to grep the audit.log and pass tonly that to sealert, I find that I want to solve all selinux issues, not just the one that is bugging me now :)

Back to our problem at hand, the sealert shows following relevant alert:

SELinux is preventing /usr/sbin/rotatelogs from search access on the directory /etc/httpd

sealater suggest doing the following

#grep rotatelogs /var/log/audit/audit.log | audit2allow -M mypol
#semodule -i mypol.pp

And that indeed solved the log problem.

So there you go, 3 selinux issues I keep getting every year or so when I set up a new site with apache on centos 5.x/6.x and I still need to google it. Every single time.

Solution 2

You are creating single files using touch and then you change the file owner via chown. For Apache to create it's logfiles itself writing permissions to the containing directory are needed. Use chown -R (capital R = recursive) on the designated log directory.

Newcombe

Updated on September 18, 2022

Comments

Newcombe over 1 year
I'm trying to have a script run after a third party script adds some html, for the life of me I can't find a way to run script after something is added.

I've been trying using delay but it's not working.
```
$('#Form1').append('<div id="modal"></div>');

$('.AddToCartConfirmation > div > div').delay(1000).children('div, span').not(':first-child').wrapAll('<div class="orderInfo"></div>');

$('.AddToCartConfirmation > div > div').delay(1000).addClass('cartContents');

$('.ui-dialog-titlebar-close').delay(1000).append('<i class="fas fa-times"></i>');

$("#modal").click(function(){
    $('.ui-dialog.ui-corner-all.ui-widget.ui-widget-content.ui-front.ui-draggable').css({'opcaity':'none','visibility':'hidden'});
    $('a[href="/Cart.html"] img').css('display','none');
    $(this).css({'opcaity':'none','visibility':'hidden'});
});
```
- Michael Hampton about 10 years
  
  Check /var/log/audit/audit.log.
- user9517 about 10 years
  
  What do your main httpd lods and system audit.log have to say?
- Leonard Challis about 10 years
  
  I've updated the question with more details - anything else you need?
- Admin almost 10 years
  
  Have you got SELinux enabled? I always find it causes issues when I first setup a box. Disabling it as a test, if this is not live and production system, may yield some info. But only if this is not a LIVE server mind
- Calvin Nunes over 4 years
  
  please, be more specific, I can't understand your goal here. You want something like a observer that keeps checking if some other scripts (that you don't control) add some html/nodes to your DOM, then executes something? What's the idea of delay?
- Rob Moll over 4 years
  
  You misspelled opacity a couple of times.
Leonard Challis about 10 years

As I said in my question, I don't want apache to have write permission on the whole directory, which is why I created the files. But what I'm asking is why can apache write to the logs, even when owned by root with only user write permission, but it can't create them in the first place?
Leonard Challis about 10 years

ok - I can look at changing the defaults later, but this doesn't explain my question - i.e. why can apache write to log files owned by root, but can't write it's own?
Felix Frank almost 10 years

Thanks for your feedback. In the future, once you have sufficient reputation, please add notes and workarounds in the form of comments.
answer42 over 9 years

@LeonardChallis and the answer is, to create them it needs write permission on the directory.