[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux permissions for aliased httpd directories



Simon Andrews wrote:

I'm trying to set up an alias within httpd to a set of directories outside the normal document root. I can set this up OK, but when I try to access it I get selinux errors and a 403 forbidden response.

Jun 2 15:59:42 server1 kernel: audit(1117724382.438:0): avc: denied { search } for pid=4757 exe=/usr/sbin/httpd name=/ dev=sda9 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Jun 2 15:59:42 server1 kernel: audit(1117724382.438:0): avc: denied { getattr } for pid=4757 exe=/usr/sbin/httpd path=/data dev=sda9 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir


The directories I want to access are under /data/private/ and I tried to permit this by using:

chcon -R -t httpd_sys_content_t dirname/

on static directories, and

chcon -R -t httpd_sys_script_exec_t dirname/

on cgi directories


..but I still get errors at the levels below that (/ and /data/). I don't really want all of these accessible, and I don't really want to turn off selinux altogether.


I'd therefore like either:

1) To find a way to not have httpd try to read / and /data (why is it doing this anyway? It doesn't seem to need this to get to /var/www)

2) A suitable change to the selinux policy to allow httpd to traverse the lower level directories

3) I'd settle for a way to disable selinux altogether for the /data partition (though I can't help feeling this is a bit of a cop out!)

Cheers

Simon.

file_t indicates that the file system has not been labeled.  Do a
restorecon -R -v /data

You might need to label /data as var_t.

--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]