Allowing a apache to access a user folder by using semanage

[Josef Meile]

Hi Stephen

>>> Ok, then is httpd_sys_content_t the right one? I solve it as follows:
>>>
>>> semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
>>> chcon -R -t httpd_sys_content_t /home/zopeuser/data
>>>
>>> It works now, but is it the correct way?
>> A small correction there. It should be
>> semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
>> chcon -R -t httpd_sys_content_t /home/zopeuser
>>
>> If you don't give access to the user's root directory, then apache will 
>> still fail.
> 
> The semanage command should also use httpd_sys_content_t, and you should
> run restorecon -R /home/zopeuser/data after the semanage command rather
> than using chcon.  semanage adds the entry to the system's
> file_contexts.local mapping, and restorecon then consults the system's
> file contexts files to determine the right context to apply.
Yes, you are right. That's what Jan-Frode Myklebust point me on a
previous post and that's what I finally did. It is working now.

> Do you really want to allow apache to fully access the user's home
> directory?
No, I don't. Finally I gave apache access to the /home/zopeuser folder
and full access to the /home/zopeuser/data as follows:

#Apache will be able to access the folder but not the files inside it
semanage fcontext -a -f -d -t httpd_sys_content_t "/home/zopeuser"

#Apache will be able to access all this folder, its files and subfolders
semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?"

#apply changes
restorecon -R /home/zopeuser

 > If you just want to allow search access so that it can
> traverse the user home directory to reach the data subdirectory, there
> should be a boolean (httpd_enable_homedirs) that you can enable.
I'm aware of that boolean and it seems to be the simplest solution;
however, I have other user folders, which I don't want apache accesses,
so, I opted to the semanage alternative.

Thanks and have a nice day
Josef