[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Small bug in apache.fc

From: Stephen Smalley <sds tycho nsa gov>
To: hhoffman ip-solutions net
Cc: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: Small bug in apache.fc
Date: Mon, 03 Apr 2006 09:24:09 -0400

On Sat, 2006-04-01 at 18:15 -0500, Harry Hoffman wrote:
> Hi,
> 
> apache.fc allows for webroot location to be under /srv but selinux
> currently stops apache from searching under /srv (at least this seems to
> be the case to me, but I'm fairly new to selinux).
> 
> From: file_contexts/program/apache.fc
> /srv/([^/]*/)?www(/.*)?         system_u:object_r:httpd_sys_content_t
> 
> a ls -lZ of /  shows:
> drwxr-xr-x  root     root     system_u:object_r:default_t      srv
> 
> running audit2allow -i /var/log/messages shows:
> allow httpd_t default_t:dir search;
> 
> adding a local.te policy with:
> allow httpd_t default_t:dir search;
> 
> fixes the problem and allows httpd to start without issue.

Better to put a different type on /srv, so that you don't have to expose
otherwise unspecified directories to searching by httpd.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: Small bug in apache.fc
  - From: Daniel J Walsh

References:
- Small bug in apache.fc
  - From: Harry Hoffman

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]