Allowing a apache to access a user folder by using semanage

[Josef Meile <jmeile hotmail com>]

Hi,

I'm trying to allow apache to read a user folder as follows:

% semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"

However I still get:

May  9 13:42:38 my_host kernel: audit(1178710958.544:17691): avc: 
denied  { search } for  pid=4103 comm="httpd" name="data" dev=hda4 
ino=2121605 scontext=user_u:system_r:httpd_t:s0 
tcontext=user_u:object_r:user_home_t:s0 tclass=dir

This is what semanage reports:
& semanage fcontext -l | grep zope
/home/zopeuser/data(/.*)?   all files  system_u:object_r:httpd_t:s0

I know you can do that with audit2allow by generating modules from the 
error messages. Indeed I cached four errors, generated four modules, 
then finally I combined them in to this:

---> zopefull.te
module zopefull 1.0;

require {
        type httpd_t;
        type user_home_t;
        class file read;
        class file getattr;
        class lnk_file read;
        class dir search;
}

#============= httpd_t ==============
allow httpd_t user_home_t:file read;
allow httpd_t user_home_t:file getattr;
allow httpd_t user_home_t:lnk_file read;
allow httpd_t user_home_t:dir search;
<--- zopefull.te

Which I indeed worked; however, I think it is a complicated and long 
way, and it does much more than what I want; in fact this gives access 
to all user folders to httpd and not just to the desired one. Is 
possible to do this with semanage? By the way, I'm using Fedora Core 6 
without X and kernel 2.6.20-1.2948.

Best regards
Josef Meile