SELinux: home dir is symlink, httpd from files in home dir

Nick Urbanik nicku at nicku.org
Thu Jan 20 03:44:05 UTC 2005 

Thank you very much for your very helpful reply, Colin.

On Wed, Jan 19, 2005 at 09:48:30PM -0500, Colin Walters wrote:
> On Thu, 2005-01-20 at 11:23 +1100, Nick Urbanik wrote:
> > Dear Folks,
> > 
> > I'm totally new to SELinux, and am quite confused on a number of
> > points.
> > 
> > I took the plunge and enabled SELinux on this FC3 box.
> > Problem is with Apache. 
> 
> Have you read the Fedora Apache guide?

Thank you, yes, it is very helpful.

> http://fedora.redhat.com/docs/selinux-apache-fc3/
> 
> It's slightly out of date but still informative, I think.

Thanks.  I have finally got everything to work, and now will make it
work more securely.

> >  I have symlinks pointing to my home
> > directory,
> 
> This will cause a number of problems.  Many programs are given the
> permissions 'getattr' and 'search' on user_home_dir_t:dir, so they can
> access the toplevel home directory but not necessarily anything
> contained in it.  The ":dir" part here is important, as it means the
> permissions are restricted to directories with that type; symlinks are
> not allowed.
> 
> I wonder why you're symlinking into /opt,

I have a 512 gigabyte 3ware raid partition, and am using it for many
different purposes, and had used symlinks to access it.  I'm changing
it to mount as you sensibly suggest.

> but assuming for now that's what you have to do, one solution might
> be to use bind mounts instead of symlinks:
> 
> rm /home/nicku
> mkdir /home/nicku
> mount -obind /opt/nicku /home/nicku
> 
> You can add the bind mount to /etc/fstab so it's done automatically.

That's a wonderful idea!  The mount man page indicates that I can use

mount --move /opt/nicku /home/nicku

to achieve exactly what I wanted originally.  Does that work well?

> Yeah; use misc/local.te instead, or the like.  te files in program
> require a corresponding .fc file to be enabled.

Yes, I finally realised that's where it should go.
-- 
Nick Urbanik   RHCE       http://nicku.org          nicku(at)nicku.org
Proud ex-member of Dept. of Information & Communications Technology in
Hong Kong IVE (Tsing Yi), Home of Visual Paradigm: Jolt Productivity
Award winner, programmed by ICT's own graduates!
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24    ID: BB9D2C24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20050120/0b0ab8ce/attachment.sig>

More information about the fedora-selinux-list mailing list