SELinux & apache/httpd access to /home/*/www

[Cream[DONut]]

Daniel J Walsh wrote:
 > 1. In order to maintain the SELinux protection on Apache, you could
 > change the context of the directrory and files you wish to share.
 >    a chcon -t  -R httpd_user_content_t /home/*/www
 >    b Then restart apache and try to access the pages.       service
 > httpd restart

I assume you mean "chcon -R -t httpd_user_content_t /home/*/www", since 
the context you posted doesnt work. But it doesnt fix the problem, 
apache still cant i still get "DocumentRoot [/home/xxxxxx/www] does not 
exist".

la -latZ /home/
drwxr-x---  xxxxxx   apache   system_u:object_r:user_home_dir_t xxxxxx

ls -latZ /home/xxxxxx
drwxr-xr-x  xxxxxx   xxxxxx   system_u:object_r:httpd_user_content_t www

I checked that the apache user could open the files, even in enforcing 
targeted mode

 >
 > 2.  You can disable SELinux protextion for apache.
 >      a. Run selinux-config-securitylevel and select the SELinux tab.
 >      b. In the Modify SELinux Policy box, select the transitions list
 > item and expand.
 >      c. Check the Disable SELinux protection for httpd daemon line.
 >      d. Click ok
 >      e. Restart apache
 >         service httpd restart

Do you mean system-config-securitylevel? because i dont have any 
selinux-config-securitylevel, but my system-config-securitylevel doesnt 
display any SELinux related stuff. (I prefer to edit the configs in 
emacs, it seems to give me a better picture of how it works).

Still not sure how to disable auditing of the httpd in targeted mode.



 > 3.  Disable SELinux
 >       a. Run selinux-config-securitylevel and select the SELinux tab.
 >       b. UnClick Enabled
 >       c. Click Ok
 >       d. Reboot.

or SELINUX=disabled in /etc/selinux/config,
or selinux=0 in the boot config,
but I'd like to give SELinux a try. (at the moment targeted mode seems 
to be the right one for me)



Stephen Smalley wrote:
 > audit2allow -v -d will generate allow rules from the audit messages
 > generated by any denials, or you can inspect dmesg output or
 > /var/log/messages directly for lines that have "avc:  denied...".

I figured if i ran the system in strict & permissive mode, and then ran 
the system trough the paces it would be expected to do in normal day 
operations, I would be able to build a good "seed file".

I havent been able to find any page discribing what to do with that 
file, but im guessing it should somehow be used in 
/etc/selinux/strict/src/policy.

(the system halts during booting if its in strict & enforcing mode)



 > ls -aZ /home/[name]/www will show you the current security contexts on
 > the directory and its files.

handy, thanks



 > One possible cause would be that the filesystem type for /home doesn't
 > support extended attributes (e.g. NFS) and thus SELinux couldn't label
 > /home/[name]/www with the expected type.

/home is not NFS, its ext3


Thanks for taking the time to respond to my initial post.
Kris