[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: SELinux & apache/httpd access to /home/*/www

From: Daniel J Walsh <dwalsh redhat com>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: SELinux & apache/httpd access to /home/*/www
Date: Fri, 17 Sep 2004 11:42:29 -0400

Stephen Smalley wrote:

On Fri, 2004-09-17 at 08:17, Cream[DONut] wrote:

when starting httpd, it just fails, there are no AVC messages in /var/log, but for testing purpose I set DocumentRoot to the / root of the server, which worked, then i tried going to /home, which didnt work, I couldnt open /home/xxxxxx or /home/xxxxxx/www.
BTW, when you see no AVC messages but think that SELinux is the culprit,
do a 'make enableaudit load' in the policy source directory and try
again, and then do a 'make clean load' to revert.  That is noted in the
Fedora SELinux FAQ.  Certain audit messages are explicitly suppressed by
default using dontaudit rules in the policy to avoid filling the logs
with noise, and the 'enableaudit' removes those rules to ensure that you
see every denial.

I also have it working fine. With the 1-17-17 policy, targeted and strict. DocumentRoot is /var/www/html Attached the difference in httpd.conf to get it to work. ls -laZ ~dwalsh/www/ drwx--x--x dwalsh dwalsh system_u:object_r:httpd_user_content_t . drwxr-xr-x dwalsh dwalsh system_u:object_r:user_home_dir_t .. -rw-r--r-- dwalsh dwalsh system_u:object_r:httpd_user_content_t hunts.html

--- httpd.conf~	2004-09-08 06:20:13.000000000 -0400
+++ httpd.conf	2004-09-17 09:27:27.000000000 -0400
@@ -336,14 +336,14 @@
     # of a username on the system (depending on home directory
     # permissions).
     #
-    UserDir disable
+    #UserDir disable
 
     #
     # To enable requests to /~user/ to serve the user's public_html
     # directory, remove the "UserDir disable" line above, and uncomment
     # the following line instead:
     # 
-    #UserDir public_html
+    UserDir www
 
 </IfModule>
 
@@ -351,18 +351,18 @@
 # Control access to UserDir directories.  The following is an example
 # for a site where these directories are restricted to read-only.
 #
-#<Directory /home/*/public_html>
-#    AllowOverride FileInfo AuthConfig Limit
-#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
-#    <Limit GET POST OPTIONS>
-#        Order allow,deny
-#        Allow from all
-#    </Limit>
-#    <LimitExcept GET POST OPTIONS>
-#        Order deny,allow
-#        Deny from all
-#    </LimitExcept>
-#</Directory>
+<Directory /home/*/www>
+    AllowOverride FileInfo AuthConfig Limit
+    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
+    <Limit GET POST OPTIONS>
+        Order allow,deny
+        Allow from all
+    </Limit>
+    <LimitExcept GET POST OPTIONS>
+        Order deny,allow
+        Deny from all
+    </LimitExcept>
+</Directory>
 
 #
 # DirectoryIndex: sets the file that Apache will serve if a directory

References:
- SELinux & apache/httpd access to /home/*/www
  - From: Cream[DONut]
- Re: SELinux & apache/httpd access to /home/*/www
  - From: Daniel J Walsh
- Re: SELinux & apache/httpd access to /home/*/www
  - From: Cream[DONut]
- Re: SELinux & apache/httpd access to /home/*/www
  - From: Daniel J Walsh
- Re: SELinux & apache/httpd access to /home/*/www
  - From: Cream[DONut]
- Re: SELinux & apache/httpd access to /home/*/www
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]