SELinux & apache/httpd access to /home/*/www
Cream[DONut]
lists at donut.dk
Fri Sep 17 16:40:39 UTC 2004
Stephen Smalley wrote:
> On Fri, 2004-09-17 at 08:17, Cream[DONut] wrote:
>
>>when starting httpd, it just fails, there are no AVC messages in
>>/var/log, but for testing purpose I set DocumentRoot to the / root of
>>the server, which worked, then i tried going to /home, which didnt work,
>>I couldnt open /home/xxxxxx or /home/xxxxxx/www.
>
>
> BTW, when you see no AVC messages but think that SELinux is the culprit,
> do a 'make enableaudit load' in the policy source directory and try
> again, and then do a 'make clean load' to revert. That is noted in the
> Fedora SELinux FAQ. Certain audit messages are explicitly suppressed by
> default using dontaudit rules in the policy to avoid filling the logs
> with noise, and the 'enableaudit' removes those rules to ensure that you
> see every denial.
>
with make enableaudit load
Sep 17 18:23:15 DONut kernel: audit(1095438195.775:0): avc: denied {
read write } for pid=2822 exe=/usr/sbin/httpd path=/dev/pts/0
dev=devpts ino=2 scontext=root:system_r:httpd_t
tcontext=root:object_r:devpts_t tclass=chr_file
Sep 17 18:23:16 DONut httpd: httpd startup succeeded
when trying to accessing http://server/~xxxxxx/
Sep 17 18:24:10 DONut kernel: audit(1095438250.555:0): avc: denied {
search } for pid=2826 exe=/usr/sbin/httpd name=xxxxxx dev=hda2
ino=886604 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Sep 17 18:24:10 DONut kernel: audit(1095438250.556:0): avc: denied {
getattr } for pid=2826 exe=/usr/sbin/httpd path=/home/xxxxxx dev=hda2
ino=886604 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Anyway, thanks for the help, dont give it too much attention, i'll
install test2 next week, and let you know how it goes.
regards
Kris
More information about the fedora-selinux-list
mailing list