SELinux & apache/httpd access to /home/*/www

Daniel J Walsh dwalsh at redhat.com
Fri Sep 17 11:31:32 UTC 2004 

Cream[DONut] wrote:

> Daniel J Walsh wrote:
> > 1. In order to maintain the SELinux protection on Apache, you could
> > change the context of the directrory and files you wish to share.
> >    a chcon -t  -R httpd_user_content_t /home/*/www
> >    b Then restart apache and try to access the pages.       service
> > httpd restart
>
> I assume you mean "chcon -R -t httpd_user_content_t /home/*/www", 
> since the context you posted doesnt work. But it doesnt fix the 
> problem, apache still cant i still get "DocumentRoot 
> [/home/xxxxxx/www] does not exist".

What are the AVC messages you are seeing in the /var/log/messages file.

>
> la -latZ /home/
> drwxr-x---  xxxxxx   apache   system_u:object_r:user_home_dir_t xxxxxx
>
> ls -latZ /home/xxxxxx
> drwxr-xr-x  xxxxxx   xxxxxx   system_u:object_r:httpd_user_content_t www
>
> I checked that the apache user could open the files, even in enforcing 
> targeted mode
>
> >
> > 2.  You can disable SELinux protextion for apache.
> >      a. Run selinux-config-securitylevel and select the SELinux tab.
> >      b. In the Modify SELinux Policy box, select the transitions list
> > item and expand.
> >      c. Check the Disable SELinux protection for httpd daemon line.
> >      d. Click ok
> >      e. Restart apache
> >         service httpd restart
>
> Do you mean system-config-securitylevel? because i dont have any 
> selinux-config-securitylevel, but my system-config-securitylevel 
> doesnt display any SELinux related stuff. (I prefer to edit the 
> configs in emacs, it seems to give me a better picture of how it works).
>
Yes system-config-securitylevel, you need to upgrade to a newer version.
  But you can edit the booleans file in /etc/selinux/targeted/booleans 
if you like and add a boolean
http_disable_trans=1, then type "setsebool http_disable_trans 1".   Stop 
and restart the http service. 

> Still not sure how to disable auditing of the httpd in targeted mode.
>
>
>
> > 3.  Disable SELinux
> >       a. Run selinux-config-securitylevel and select the SELinux tab.
> >       b. UnClick Enabled
> >       c. Click Ok
> >       d. Reboot.
>
> or SELINUX=disabled in /etc/selinux/config,
> or selinux=0 in the boot config,
> but I'd like to give SELinux a try. (at the moment targeted mode seems 
> to be the right one for me)
>
Get the AVC messages and we can get it working. 
audit2allow -i /var/log/messages

>
>
> Stephen Smalley wrote:
> > audit2allow -v -d will generate allow rules from the audit messages
> > generated by any denials, or you can inspect dmesg output or
> > /var/log/messages directly for lines that have "avc:  denied...".
>
> I figured if i ran the system in strict & permissive mode, and then 
> ran the system trough the paces it would be expected to do in normal 
> day operations, I would be able to build a good "seed file".
>
> I havent been able to find any page discribing what to do with that 
> file, but im guessing it should somehow be used in 
> /etc/selinux/strict/src/policy.
>
> (the system halts during booting if its in strict & enforcing mode)
>
>
>
> > ls -aZ /home/[name]/www will show you the current security contexts on
> > the directory and its files.
>
> handy, thanks
>
>
>
> > One possible cause would be that the filesystem type for /home doesn't
> > support extended attributes (e.g. NFS) and thus SELinux couldn't label
> > /home/[name]/www with the expected type.
>
> /home is not NFS, its ext3
>
>
> Thanks for taking the time to respond to my initial post.
> Kris
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list