Making content readable by httpd
Ian Pilcher
i.pilcher at comcast.net
Fri Nov 12 17:32:16 UTC 2004
Daniel J Walsh wrote:
> Look for AVC Messages in the /var/log/messages file.
I should have posted those before. Here is an example of what happens
when httpd tries to access the reiserfs filesystem:
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
search } for pid=9106 exe=/usr/sbin/httpd dev=md5 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t tclass=dir
Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
getattr } for pid=9106 exe=/usr/sbin/httpd path=/mnt/music1 dev=md5
ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t
tclass=dir
> You can run audit2allow -l -i /var/log/messages
Here's what audit2allow says about it:
allow httpd_t bin_t:lnk_file { read };
allow httpd_t nfs_t:dir { getattr search };
allow httpd_t user_home_t:file { getattr read };
> They you can customize policy to allow these.
To my *very* inexpert eye, it looks like audit2allow is telling me to
loosen the restrictions on httpd. I suppose that this is an option (as
turning SELinux off entirely for httpd), but I really want to figure out
what contexts I need to add the the music filesystems to make them
accessible by httpd under the present policy.
Thanks!
--
========================================================================
Ian Pilcher i.pilcher at comcast.net
========================================================================
More information about the fedora-selinux-list
mailing list