Selinux permissions for aliased httpd directories
Simon Andrews
simon.andrews at bbsrc.ac.uk
Thu Jun 2 15:03:08 UTC 2005
I'm trying to set up an alias within httpd to a set of directories
outside the normal document root. I can set this up OK, but when I try
to access it I get selinux errors and a 403 forbidden response.
Jun 2 15:59:42 server1 kernel: audit(1117724382.438:0): avc: denied {
search } for pid=4757 exe=/usr/sbin/httpd name=/ dev=sda9 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Jun 2 15:59:42 server1 kernel: audit(1117724382.438:0): avc: denied {
getattr } for pid=4757 exe=/usr/sbin/httpd path=/data dev=sda9 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
The directories I want to access are under /data/private/ and I tried to
permit this by using:
chcon -R -t httpd_sys_content_t dirname/
on static directories, and
chcon -R -t httpd_sys_script_exec_t dirname/
on cgi directories
..but I still get errors at the levels below that (/ and /data/). I
don't really want all of these accessible, and I don't really want to
turn off selinux altogether.
I'd therefore like either:
1) To find a way to not have httpd try to read / and /data (why is it
doing this anyway? It doesn't seem to need this to get to /var/www)
2) A suitable change to the selinux policy to allow httpd to traverse
the lower level directories
3) I'd settle for a way to disable selinux altogether for the /data
partition (though I can't help feeling this is a bit of a cop out!)
Cheers
Simon.
More information about the fedora-list
mailing list