[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Small bug in apache.fc

From: Daniel J Walsh <dwalsh redhat com>
To: sds tycho nsa gov
Cc: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: Small bug in apache.fc
Date: Mon, 03 Apr 2006 13:57:12 -0400

Stephen Smalley wrote:

On Sat, 2006-04-01 at 18:15 -0500, Harry Hoffman wrote:

Hi,

apache.fc allows for webroot location to be under /srv but selinux
currently stops apache from searching under /srv (at least this seems to
be the case to me, but I'm fairly new to selinux).

From: file_contexts/program/apache.fc
/srv/([^/]*/)?www(/.*)?         system_u:object_r:httpd_sys_content_t

a ls -lZ of /  shows:
drwxr-xr-x  root     root     system_u:object_r:default_t      srv

running audit2allow -i /var/log/messages shows:
allow httpd_t default_t:dir search;

adding a local.te policy with:
allow httpd_t default_t:dir search;

fixes the problem and allows httpd to start without issue.


Better to put a different type on /srv, so that you don't have to expose
otherwise unspecified directories to searching by httpd.

/srv should be labeled var_t.  Not ideal but it would allow it to work.

restorecon /src

Follow-Ups:
- Re: Small bug in apache.fc
  - From: Harry Hoffman

References:
- Small bug in apache.fc
  - From: Harry Hoffman
- Re: Small bug in apache.fc
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]