Hi. On Wed, Oct 17, 2018 at 06:33:09AM +0200, steve wrote: > Le 16-10-2018, à 09:51:22 +0300, Reco a écrit : > > > Hi. > > > > On Tue, Oct 16, 2018 at 07:31:17AM +0200, steve wrote: > > > Hi there, > > > > > > Purged and then reinstalled apache2 and when I want to start apache2, > > > here's what I get: > > > > > > # systemctl status apache2.service > > > ● apache2.service - The Apache HTTP Server > > > Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor > > > preset: enabled) > > > Active: failed (Result: exit-code) since Tue 2018-10-16 07:22:02 CEST; > > > 13s ago > > > Process: 32122 ExecStart=/usr/sbin/apachectl start (code=exited, > > > status=1/FAILURE) > > > > > > oct 16 07:22:01 box systemd[1]: Starting The Apache HTTP Server... > > > oct 16 07:22:01 box apachectl[32122]: apache2: Could not open > > > configuration file /etc/apache2/apache2.conf: Permission denied > > > oct 16 07:22:02 box apachectl[32122]: Action 'start' failed. > > > oct 16 07:22:02 box apachectl[32122]: The Apache error log may have more > > > information. > > > > So, does the 'Apache error log' have anything useful? > > Nothing. It's empty.
And that, my dear list, shows us that in that particular case systemd journal is useless. It was expected though, as it's the usual thing with it - it's able to tell you that something is wrong, but it never tells you the actual cause of it. > > > ls -l /etc/apache2/apache2.conf > > > -rw-r--r-- 1 root root 7224 jun 2 10:01 /etc/apache2/apache2.conf > > > > First things first, it's 'ls -lZ /etc/apache2/apache2.conf'. > > # ls -lZ /etc/apache2/apache2.conf -rw-r--r-- 1 root root ? 7224 jun 2 10:01 > /etc/apache2/apache2.conf And that shows us that you aren't using SELinux. > > Next thing to check is 'ls -ald / /etc /etc/apache2'. > > # ls -ald /etc/apache2 > drwxr-xr-x 8 root root 4096 oct 16 07:21 /etc/apache2 Original command contains three directories, you show just one. A hint - all three could be important in this case. > > And, finally, /var/log/audit/audit.log if you have auditd installed > > (hint - install it if you don't). > > grep apache /var/log/audit/audit.log > > type=AVC msg=audit(1539750555.347:76): apparmor="DENIED" operation="open" > profile="/usr/sbin/apache2" name="/etc/gai.conf" pid=17485 comm="apache2" > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > type=SYSCALL msg=audit(1539750555.347:76): arch=c000003e syscall=2 success=no > exit=-13 a0=7fe220cac22a a1=80000 a2=1b6 a3=80000 items=0 ppid=17482 > pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="apache2" exe="/usr/sbin/apache2" > subj==/usr/sbin/apache2 (enforce) key=(null) > type=AVC msg=audit(1539750555.347:77): apparmor="DENIED" operation="open" > profile="/usr/sbin/apache2" name="/etc/apache2/apache2.conf" pid=17485 > comm="apache2" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > type=SYSCALL msg=audit(1539750555.347:77): arch=c000003e syscall=2 success=no > exit=-13 a0=7fe2219b6f70 a1=80000 a2=1b6 a3=ffffffffffffff7f items=0 > ppid=17482 pid=17485 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="apache2" > exe="/usr/sbin/apache2" subj==/usr/sbin/apache2 (enforce) key=(null) > type=SERVICE_START msg=audit(1539750555.383:78): pid=1 uid=0 auid=4294967295 > ses=4294967295 subj==unconfined msg='unit=apache2 comm="systemd" > exe="/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' > > Seems fine to me. On the contrary. These show that apache2 binary was denied from reading /etc/gai.conf *and* /etc/apache2/apache2.conf by some Mandatory Access Control (audit record type AVC). Since you're using Debian, I suspect AppArmor. First things first, Apparmor (and any kind of MAC) is a good thing, especially in your typical server environment. They'll suggest you to disable it - don't. Lowering overall security of your OS is not worth it. Second, Debian does not provide apparmor profiles for apache. Whatever profile is active in your installation is a result of local misconfiguration. Third, it's fixable. Install apparmor-utils. Invoke 'aa-complain /usr/sbin/apache2'. Start your apache2 service, stop it and start again. Make some GET/PUT requests to it. Invoke 'aa-logprof' and generate Apparmor profile that's uniquely suited for your environment. Invoke 'aa-enforce /usr/sbin/apache2', and you're set. Reco
