SELinux & apache/httpd access to /home/*/www
Daniel J Walsh
dwalsh at redhat.com
Fri Sep 17 11:31:32 UTC 2004
Cream[DONut] wrote:
> Daniel J Walsh wrote:
> > 1. In order to maintain the SELinux protection on Apache, you could
> > change the context of the directrory and files you wish to share.
> > a chcon -t -R httpd_user_content_t /home/*/www
> > b Then restart apache and try to access the pages. service
> > httpd restart
>
> I assume you mean "chcon -R -t httpd_user_content_t /home/*/www",
> since the context you posted doesnt work. But it doesnt fix the
> problem, apache still cant i still get "DocumentRoot
> [/home/xxxxxx/www] does not exist".
What are the AVC messages you are seeing in the /var/log/messages file.
>
> la -latZ /home/
> drwxr-x--- xxxxxx apache system_u:object_r:user_home_dir_t xxxxxx
>
> ls -latZ /home/xxxxxx
> drwxr-xr-x xxxxxx xxxxxx system_u:object_r:httpd_user_content_t www
>
> I checked that the apache user could open the files, even in enforcing
> targeted mode
>
> >
> > 2. You can disable SELinux protextion for apache.
> > a. Run selinux-config-securitylevel and select the SELinux tab.
> > b. In the Modify SELinux Policy box, select the transitions list
> > item and expand.
> > c. Check the Disable SELinux protection for httpd daemon line.
> > d. Click ok
> > e. Restart apache
> > service httpd restart
>
> Do you mean system-config-securitylevel? because i dont have any
> selinux-config-securitylevel, but my system-config-securitylevel
> doesnt display any SELinux related stuff. (I prefer to edit the
> configs in emacs, it seems to give me a better picture of how it works).
>
Yes system-config-securitylevel, you need to upgrade to a newer version.
But you can edit the booleans file in /etc/selinux/targeted/booleans
if you like and add a boolean
http_disable_trans=1, then type "setsebool http_disable_trans 1". Stop
and restart the http service.
> Still not sure how to disable auditing of the httpd in targeted mode.
>
>
>
> > 3. Disable SELinux
> > a. Run selinux-config-securitylevel and select the SELinux tab.
> > b. UnClick Enabled
> > c. Click Ok
> > d. Reboot.
>
> or SELINUX=disabled in /etc/selinux/config,
> or selinux=0 in the boot config,
> but I'd like to give SELinux a try. (at the moment targeted mode seems
> to be the right one for me)
>
Get the AVC messages and we can get it working.
audit2allow -i /var/log/messages
>
>
> Stephen Smalley wrote:
> > audit2allow -v -d will generate allow rules from the audit messages
> > generated by any denials, or you can inspect dmesg output or
> > /var/log/messages directly for lines that have "avc: denied...".
>
> I figured if i ran the system in strict & permissive mode, and then
> ran the system trough the paces it would be expected to do in normal
> day operations, I would be able to build a good "seed file".
>
> I havent been able to find any page discribing what to do with that
> file, but im guessing it should somehow be used in
> /etc/selinux/strict/src/policy.
>
> (the system halts during booting if its in strict & enforcing mode)
>
>
>
> > ls -aZ /home/[name]/www will show you the current security contexts on
> > the directory and its files.
>
> handy, thanks
>
>
>
> > One possible cause would be that the filesystem type for /home doesn't
> > support extended attributes (e.g. NFS) and thus SELinux couldn't label
> > /home/[name]/www with the expected type.
>
> /home is not NFS, its ext3
>
>
> Thanks for taking the time to respond to my initial post.
> Kris
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list