Small bug in apache.fc
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 3 17:57:12 UTC 2006
Stephen Smalley wrote:
> On Sat, 2006-04-01 at 18:15 -0500, Harry Hoffman wrote:
>
>> Hi,
>>
>> apache.fc allows for webroot location to be under /srv but selinux
>> currently stops apache from searching under /srv (at least this seems to
>> be the case to me, but I'm fairly new to selinux).
>>
>> From: file_contexts/program/apache.fc
>> /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t
>>
>> a ls -lZ of / shows:
>> drwxr-xr-x root root system_u:object_r:default_t srv
>>
>> running audit2allow -i /var/log/messages shows:
>> allow httpd_t default_t:dir search;
>>
>> adding a local.te policy with:
>> allow httpd_t default_t:dir search;
>>
>> fixes the problem and allows httpd to start without issue.
>>
>
> Better to put a different type on /srv, so that you don't have to expose
> otherwise unspecified directories to searching by httpd.
>
>
/srv should be labeled var_t. Not ideal but it would allow it to work.
restorecon /src
More information about the fedora-selinux-list
mailing list