SELinux/httpd integration
Joe Orton
jorton at redhat.com
Tue Nov 16 20:33:17 UTC 2004
On Tue, Nov 16, 2004 at 01:56:56PM -0500, Colin Walters wrote:
> On Tue, 2004-11-16 at 13:21 +0000, Joe Orton wrote:
> > I think one thing that would help would be making the sets of example
> > httpd module configurations self-documentating w.r.t. SELinux for some
> > of the modules.
>
> It would be nice to go through more possible configurations and try
> them; so far we've only done a few.
I'll try to go through more of the modules in /etc/httpd/conf.d/*.conf.
> > So for instance, how do I get Subversion/mod_dav_svn working with an
> > SELinux-enabled httpd? Can we make it such that an SVN repos is as easy
> > to set up as:
> >
> > # cd /src/svn
> > # svnadmin create mystuff
> > # vi /etc/httpd/conf.d/subversion.conf
> > - uncomment the defaults?
>
> Well, given that the path /src/ doesn't exist by default right now, we
> can't ensure it's labeled correctly out of the box. Maybe we could have
> default configuration use /var/www/.
That would work too.
> > A more generic example would be if we provide a /srv/www directory or
> > something to which the httpd domain is allowed read+write access by
> > default; somewhere to put the PHP webapps.
>
> /srv/www should probably be just be labeled the same as /var/www by
> default. Since the default label is httpd_sys_content_t, which in the
> default boolean set httpd_t is allowed to write to, PHP apps storing
> e.g. a SQLite database there should work.
httpd_t *cannot* write to anything labelled with httpd_sys_content_t by
default, surely - that's the whole problem?
When I set up /var/www/svn as above, I get AVC messages like:
audit(1100636258.341:0): avc: denied { write } for pid=21318
exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309
scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file
joe
More information about the fedora-selinux-list
mailing list