Problem with apache accessing files outside of /var/www/html directory
Edward Kuns
ekuns at kilroy.chi.il.us
Wed Feb 20 04:07:08 UTC 2008
David Bartmess wrote:
> I’m trying to get apache to serve up via a CGI script the formatted
> contents of a directory outside of the DocumentRoot directory structure,
> and SELinux is giving me a “Permissions Denied” error.
> How can I modify the SELinux context on the files being shown to fix this?
I'm also a newbie at this, but what I did to fix something similar was
bring up system-config-selinux and looked at the configuration of files
in the "correct" area, then I replicated that configuration on the place
where I put my /var/www directory. (Because /var/www can grow so much
larger than the rest of my /var, I put it outside of /var with a
symlink.)
The tool added my changes to the file
/etc/selinux/targeted/contexts/files/file_contexts.local
Thus, to fix your problem, do something like:
grep cgi /etc/selinux/targeted/contexts/files/file_contexts
This will show you all rules pertaining to directories that contain
"cgi" in them and/or rules that contain "cgi" in them. From that
shorter list of rules, you should be able to figure out how to craft a
rule for the location where you put CGI files. You can manually add
those to the file_contexts.local file (but I don't know if you then need
to do something special to activate those changes) or you can use
system-config-selinux, which is what I did.
Then to make the changes in labeling occur, I:
restorecon -r -v /path/to/directory/where/you/put/cgi
where you put your cgi. And remember that you need permissions the
whole directory tree down, so if you put your cgi files
in /opt/special/active/cgi then you need labeling on /opt and
on /opt/special (and so on, all the way down) so that the programs in
question can navigate all the way down from "/" to your cgi files. To
figure out what is required, you can look at what labeling is done in
the directories /var and /var/www (in file_contexts) and experiment a
little.
I was able to figure out how to put /var/www successfully in a different
location by doing this, but I don't really have any cgi scripts, so you
have a slightly different situation.
Good luck.
Eddie
--
Edward Kuns <ekuns at kilroy.chi.il.us>
More information about the fedora-selinux-list
mailing list