Allowing a apache to access a user folder by using semanage

Stephen Smalley sds at tycho.nsa.gov
Wed May 9 20:19:13 UTC 2007 

On Wed, 2007-05-09 at 22:09 +0200, Josef Meile wrote:
> Hi Jan
> 
> >> I'm trying to allow apache to read a user folder as follows:
> >>
> >> % semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
> > 
> > semanage doesn't update the labels of existing files. So you'll
> > need to run "restorecon -R /home/zopeuser/data" before this
> > will work.
> I did what you suggested; however lots of messages like this appeared:
> 
> restorecon set context
> /home/zopeuser/data/certs/demoCA/certs->system_u:object_r:httpd_t:s0
> failed:'Permission denied'
> 
> Then I tried:
> fixfiles restore
> 
> But again I got lots of errors like this:
> 
> /sbin/setfiles:  unable to relabel /home/zopeuser/data/certs/demoCA to
> system_u:object_r:httpd_t:s0
> /home/zopeuser/data/certs/demoCA/crl: Permission denied
> 
> Even this doesn't works:
> % touch /.autorelabel
> % reboot
> 
> But this is I got in the message log after rebooting:
> 
> May  9 22:16:39 my_host kernel: audit(1178741787.823:58): avc:  denied 
> { relabelto } for  pid=1368 comm="setfiles" name="data" dev=hda4 
> ino=2121605 scontext=system_u:system_r:setfiles_t:s0 
> tcontext=system_u:object_r:httpd_t:s0 tclass=dir
> May  9 22:16:39 my_host kernel: audit(1178741787.823:59): avc:  denied 
> { associate } for  pid=1368 comm="setfiles" name="data" dev=hda4 
> ino=2121605 scontext=system_u:object_r:httpd_t:s0 
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> May  9 22:16:39 my_host kernel: audit(1178741787.834:60): avc:  denied 
> { read } for  pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 
> scontext=system_u:system_r:setfiles_t:s0 
> tcontext=system_u:object_r:httpd_t:s0 tclass=dir
> May  9 22:16:39 my_host kernel: audit(1178741787.834:61): avc:  denied 
> { search } for  pid=1368 comm="setfiles" name="data" dev=hda4 
> ino=2121605 scontext=system_u:system_r:setfiles_t:s0 
> tcontext=system_u:object_r:httpd_t:s0 tclass=dir

httpd_t is a domain for a process, not a type for a file.  You shouldn't
be trying to label a file with it.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list