apache problem?

Daniel J Walsh dwalsh at redhat.com
Fri Nov 5 23:09:47 UTC 2004


Colin Walters wrote:

>On Fri, 2004-11-05 at 07:37 -0500, Stephen Smalley wrote:
>  
>
>>On Fri, 2004-11-05 at 06:09, Thomas Liesner wrote:
>>    
>>
>>>I think this has to do with selinux. The corresponding entries
>>>in /var/log/messages are:
>>>
>>>      
>>>
>>>>Nov  5 12:04:55 fusie kernel: audit(1099652695.277:0): avc:  denied  { getattr } for  pid=4587 exe=/usr/sbin/httpd path=/home/thomas/public_html dev=hda3 ino=1456101 scontext=root:system_r:httpd_t tcontext=user_u:object_r:user_home_t tclass=dir
>>>>        
>>>>
>>/sbin/restorecon -R /home/thomas/public_html
>>    
>>
>
>Hm.  I'd prefer to introduce users here to "chcon", since in the strict
>policy normal users don't have access to file_contexts.  Also restorecon
>only works if the directory is named public_html.
>
>Franz/Thomas: there is a guide for SELinux and Apache coming up, there
>should be a "beta" version of it by the FC3 release.
>
>
>  
>
This is a bug in targeted policy.  Basically there is code in the policy 
to allow apache to read nfs files but it is
turned off in the release.

I have update the policy file on
ftp://people.redhat.com/dwalsh/SELinux/FC3
to allow this (This is a yum repository.)
selinux-policy-targeted-1.17.30-2.20

Or you can try out the latest policy from rawhide
selinux-policy-targeted-1.18.1-*

Both should have a fix for this.




More information about the fedora-test-list mailing list