Making content readable by httpd
Daniel J Walsh
dwalsh at redhat.com
Fri Nov 12 18:07:04 UTC 2004
Ian Pilcher wrote:
> Daniel J Walsh wrote:
>
>> Look for AVC Messages in the /var/log/messages file.
>
>
> I should have posted those before. Here is an example of what happens
> when httpd tries to access the reiserfs filesystem:
>
> Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
> search } for pid=9106 exe=/usr/sbin/httpd dev=md5 ino=2
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t
> tclass=dir
>
> Nov 11 23:33:38 home kernel: audit(1100237618.326:0): avc: denied {
> getattr } for pid=9106 exe=/usr/sbin/httpd path=/mnt/music1 dev=md5
> ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nfs_t
> tclass=dir
>
>> You can run audit2allow -l -i /var/log/messages
>
>
> Here's what audit2allow says about it:
>
> allow httpd_t bin_t:lnk_file { read };
> allow httpd_t nfs_t:dir { getattr search };
> allow httpd_t user_home_t:file { getattr read };
>
>> They you can customize policy to allow these.
>
>
> To my *very* inexpert eye, it looks like audit2allow is telling me to
> loosen the restrictions on httpd. I suppose that this is an option (as
> turning SELinux off entirely for httpd), but I really want to figure out
> what contexts I need to add the the music filesystems to make them
> accessible by httpd under the present policy.
>
> Thanks!
>
Try the policy on ftp://people.redhat.com/dwalsh/SELinux/ FC3
selinux-policy-targeted-1.17.30-2.23
This is a preview of the one that will be in update 1. It has allow
rules for the NFS partition.
Dan
More information about the fedora-selinux-list
mailing list