[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Another Apache problem



David Hampton wrote:

I noticed that I had "r_dir_file(httpd_t, httpdcontent)" in my
domains/misc/local.te file so I removed it.  After I did this I started
getting avc errors for all web access to my server.  Audit2allow says I
need:

allow httpd_t httpd_sys_content_t:dir { getattr search };
allow httpd_t httpd_sys_content_t:file { getattr read };

Poking through the policy sources, it appears that httpd_t no longer has
permission to read files with the httpdcontent attribute.  Grep shows
only this one place where httpd_t gets permission to read the content...

./domains/program/apache.te:create_dir_file(httpd_t, httpdcontent)

...but this line is protected by what looks like a four way conditional
and doesn't appear to have any effect.  Would it make sense to add
unconditional read access to httpd before checking/allowing write and
execute access on the files?

My system is an FC3 base running with Daniel Walsh's 1.23.6-1 strict
policy.

David


--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
http://www.redhat.com/mailman/listinfo/fedora-selinux-list


Do you have httpd_unified && httpd_enable_cgi && httpd_builtin_scripting turned on?

getsebool -a | grep httpd

setsebool -P httpd_enable_cgi=1 httpd_unified=1 httpd_builtin_scripting=1
Will turn it on.



--



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]