SELinux/httpd integration

Daniel J Walsh dwalsh at redhat.com
Tue Nov 16 20:35:49 UTC 2004 

Joe Orton wrote:

>On Tue, Nov 16, 2004 at 01:56:56PM -0500, Colin Walters wrote:
>  
>
>>On Tue, 2004-11-16 at 13:21 +0000, Joe Orton wrote:
>>    
>>
>>>I think one thing that would help would be making the sets of example
>>>httpd module configurations self-documentating w.r.t. SELinux for some
>>>of the modules.
>>>      
>>>
>>It would be nice to go through more possible configurations and try
>>them; so far we've only done a few.
>>    
>>
>
>I'll try to go through more of the modules in /etc/httpd/conf.d/*.conf.
>
>  
>
>>>So for instance, how do I get Subversion/mod_dav_svn working with an
>>>SELinux-enabled httpd? Can we make it such that an SVN repos is as easy
>>>to set up as:
>>>
>>># cd /src/svn
>>># svnadmin create mystuff
>>># vi /etc/httpd/conf.d/subversion.conf
>>> - uncomment the defaults?
>>>      
>>>
>>Well, given that the path /src/ doesn't exist by default right now, we
>>can't ensure it's labeled correctly out of the box.  Maybe we could have
>>default configuration use /var/www/.
>>    
>>
>
>That would work too.
>
>  
>
>>>A more generic example would be if we provide a /srv/www directory or
>>>something to which the httpd domain is allowed read+write access by
>>>default; somewhere to put the PHP webapps.
>>>      
>>>
>>/srv/www should probably be just be labeled the same as /var/www by
>>default.  Since the default label is httpd_sys_content_t, which in the
>>default boolean set httpd_t is allowed to write to, PHP apps storing
>>e.g. a SQLite database there should work.
>>    
>>
>
>httpd_t *cannot* write to anything labelled with httpd_sys_content_t by
>default, surely - that's the whole problem?
>
>When I set up /var/www/svn as above, I get AVC messages like:
>
>audit(1100636258.341:0): avc:  denied  { write } for  pid=21318 
>exe=/usr/sbin/httpd name=__db.001 dev=hda2 ino=3169309 
>scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file
>
>joe
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>
Policy has been updated to allow this.  Please update to 
selinux-policy-targeted-1.17.30-2.26 or greater.

More information about the fedora-selinux-list mailing list