Allowing a apache to access a user folder by using semanage
Josef Meile
jmeile at hotmail.com
Wed May 9 12:31:40 UTC 2007
Hi,
I'm trying to allow apache to read a user folder as follows:
% semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
However I still get:
May 9 13:42:38 my_host kernel: audit(1178710958.544:17691): avc:
denied { search } for pid=4103 comm="httpd" name="data" dev=hda4
ino=2121605 scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=dir
This is what semanage reports:
& semanage fcontext -l | grep zope
/home/zopeuser/data(/.*)? all files system_u:object_r:httpd_t:s0
I know you can do that with audit2allow by generating modules from the
error messages. Indeed I cached four errors, generated four modules,
then finally I combined them in to this:
---> zopefull.te
module zopefull 1.0;
require {
type httpd_t;
type user_home_t;
class file read;
class file getattr;
class lnk_file read;
class dir search;
}
#============= httpd_t ==============
allow httpd_t user_home_t:file read;
allow httpd_t user_home_t:file getattr;
allow httpd_t user_home_t:lnk_file read;
allow httpd_t user_home_t:dir search;
<--- zopefull.te
Which I indeed worked; however, I think it is a complicated and long
way, and it does much more than what I want; in fact this gives access
to all user folders to httpd and not just to the desired one. Is
possible to do this with semanage? By the way, I'm using Fedora Core 6
without X and kernel 2.6.20-1.2948.
Best regards
Josef Meile
More information about the fedora-selinux-list
mailing list