CGI on user directory

Yuichi Nakamura himainu-ynakam at
Mon May 9 21:43:09 UTC 2005

Daniel J Walsh  wrote:
> Yuichi Nakamura wrote:
> >On FC4 test2 with targeted policy(selinux-policy-targeted-1.23.14-2),
> >I tried to run CGI on user home directory.
> >
> >After checked it run on permissive mode, 
> >chcon like following.
> >chcon -R system_u:object_r:httpd_sys_script_exec_t ~/public_html/cgi-bin/
> >
> >I found it does not work on enforcing mode.
> >After I add  "allow httpd_suexec_t user_home_t:dir { read };"
> >it worked. 
> >Please add it to apache.te
> What is the context of ~/public_html ?

context of public_html is 
$ ls -Z /home/ynakam/
drwxrwxr-x  ynakam   ynakam   user_u:object_r:httpd_user_content_t public_html

Entry in  audit.log is 
type=KERNEL msg=audit(1115674284.731:1699441): avc:  denied  { search } for  name=ynakam dev=hda5 ino=32719 scontext=system_u:system_r:httpd_suexec_t tcontext=user_u:object_r:user_home_dir_t tclass=dir

Yuichi Nakamura

More information about the fedora-selinux-list mailing list