Selinux permissions for aliased httpd directories

Simon Andrews simon.andrews at bbsrc.ac.uk
Thu Jun 2 15:03:08 UTC 2005


I'm trying to set up an alias within httpd to a set of directories 
outside the normal document root.  I can set this up OK, but when I try 
to access it I get selinux errors and a 403 forbidden response.

Jun  2 15:59:42 server1 kernel: audit(1117724382.438:0): avc:  denied  { 
search } for  pid=4757 exe=/usr/sbin/httpd name=/ dev=sda9 ino=2 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Jun  2 15:59:42 server1 kernel: audit(1117724382.438:0): avc:  denied  { 
getattr } for  pid=4757 exe=/usr/sbin/httpd path=/data dev=sda9 ino=2 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir

The directories I want to access are under /data/private/ and I tried to 
permit this by using:

chcon -R -t httpd_sys_content_t dirname/

on static directories, and

chcon -R -t httpd_sys_script_exec_t dirname/

on cgi directories


..but I still get errors at the levels below that (/ and /data/).  I 
don't really want all of these accessible, and I don't really want to 
turn off selinux altogether.

I'd therefore like either:

1) To find a way to not have httpd try to read / and /data (why is it 
doing this anyway?  It doesn't seem to need this to get to /var/www)

2) A suitable change to the selinux policy to allow httpd to traverse 
the lower level directories

3) I'd settle for a way to disable selinux altogether for the /data 
partition (though I can't help feeling this is a bit of a cop out!)

Cheers

Simon.




More information about the fedora-list mailing list