SELinux & apache/httpd access to /home/*/www
Cream[DONut]
lists at donut.dk
Fri Sep 17 00:18:22 UTC 2004
Daniel J Walsh wrote:
> 1. In order to maintain the SELinux protection on Apache, you could
> change the context of the directrory and files you wish to share.
> a chcon -t -R httpd_user_content_t /home/*/www
> b Then restart apache and try to access the pages. service
> httpd restart
I assume you mean "chcon -R -t httpd_user_content_t /home/*/www", since
the context you posted doesnt work. But it doesnt fix the problem,
apache still cant i still get "DocumentRoot [/home/xxxxxx/www] does not
exist".
la -latZ /home/
drwxr-x--- xxxxxx apache system_u:object_r:user_home_dir_t xxxxxx
ls -latZ /home/xxxxxx
drwxr-xr-x xxxxxx xxxxxx system_u:object_r:httpd_user_content_t www
I checked that the apache user could open the files, even in enforcing
targeted mode
>
> 2. You can disable SELinux protextion for apache.
> a. Run selinux-config-securitylevel and select the SELinux tab.
> b. In the Modify SELinux Policy box, select the transitions list
> item and expand.
> c. Check the Disable SELinux protection for httpd daemon line.
> d. Click ok
> e. Restart apache
> service httpd restart
Do you mean system-config-securitylevel? because i dont have any
selinux-config-securitylevel, but my system-config-securitylevel doesnt
display any SELinux related stuff. (I prefer to edit the configs in
emacs, it seems to give me a better picture of how it works).
Still not sure how to disable auditing of the httpd in targeted mode.
> 3. Disable SELinux
> a. Run selinux-config-securitylevel and select the SELinux tab.
> b. UnClick Enabled
> c. Click Ok
> d. Reboot.
or SELINUX=disabled in /etc/selinux/config,
or selinux=0 in the boot config,
but I'd like to give SELinux a try. (at the moment targeted mode seems
to be the right one for me)
Stephen Smalley wrote:
> audit2allow -v -d will generate allow rules from the audit messages
> generated by any denials, or you can inspect dmesg output or
> /var/log/messages directly for lines that have "avc: denied...".
I figured if i ran the system in strict & permissive mode, and then ran
the system trough the paces it would be expected to do in normal day
operations, I would be able to build a good "seed file".
I havent been able to find any page discribing what to do with that
file, but im guessing it should somehow be used in
/etc/selinux/strict/src/policy.
(the system halts during booting if its in strict & enforcing mode)
> ls -aZ /home/[name]/www will show you the current security contexts on
> the directory and its files.
handy, thanks
> One possible cause would be that the filesystem type for /home doesn't
> support extended attributes (e.g. NFS) and thus SELinux couldn't label
> /home/[name]/www with the expected type.
/home is not NFS, its ext3
Thanks for taking the time to respond to my initial post.
Kris
More information about the fedora-selinux-list
mailing list