[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Small bug in apache.fc



Hi,

I'm happy to setup /srv to be var_t for the time being.

Two questions:

1) if this isn't a ideal way of solving the problem is there a better way?
2) will whatever the solution become be merged into the policies that
RHAS/Fedora/Centos/etc. use?

Thanks,
Harry


-- 
Harry Hoffman
Integrated Portable Solutions, LLC
877.846.5927 ext 1000
http://www.ip-solutions.net/


Daniel J Walsh wrote:
> Stephen Smalley wrote:
>> On Sat, 2006-04-01 at 18:15 -0500, Harry Hoffman wrote:
>>  
>>> Hi,
>>>
>>> apache.fc allows for webroot location to be under /srv but selinux
>>> currently stops apache from searching under /srv (at least this seems to
>>> be the case to me, but I'm fairly new to selinux).
>>>
>>> From: file_contexts/program/apache.fc
>>> /srv/([^/]*/)?www(/.*)?         system_u:object_r:httpd_sys_content_t
>>>
>>> a ls -lZ of /  shows:
>>> drwxr-xr-x  root     root     system_u:object_r:default_t      srv
>>>
>>> running audit2allow -i /var/log/messages shows:
>>> allow httpd_t default_t:dir search;
>>>
>>> adding a local.te policy with:
>>> allow httpd_t default_t:dir search;
>>>
>>> fixes the problem and allows httpd to start without issue.
>>>     
>>
>> Better to put a different type on /srv, so that you don't have to expose
>> otherwise unspecified directories to searching by httpd.
>>
>>   
> /srv should be labeled var_t.  Not ideal but it would allow it to work.
> 
> restorecon /src


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]