[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Allowing a apache to access a user folder by using semanage

From: Josef Meile <jmeile hotmail com>
To: Stephen Smalley <sds tycho nsa gov>
Cc: fedora-selinux-list redhat com
Subject: Re: Allowing a apache to access a user folder by using semanage
Date: Thu, 10 May 2007 15:30:12 +0200

Hi Stephen

Ok, then is httpd_sys_content_t the right one? I solve it as follows:

semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
chcon -R -t httpd_sys_content_t /home/zopeuser/data

It works now, but is it the correct way?

A small correction there. It should be
semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
chcon -R -t httpd_sys_content_t /home/zopeuser

If you don't give access to the user's root directory, then apache willstill fail.


The semanage command should also use httpd_sys_content_t, and you should
run restorecon -R /home/zopeuser/data after the semanage command rather
than using chcon.  semanage adds the entry to the system's
file_contexts.local mapping, and restorecon then consults the system's
file contexts files to determine the right context to apply.

Yes, you are right. That's what Jan-Frode Myklebust point me on a
previous post and that's what I finally did. It is working now.

Do you really want to allow apache to fully access the user's home
directory?

No, I don't. Finally I gave apache access to the /home/zopeuser folder
and full access to the /home/zopeuser/data as follows:

#Apache will be able to access the folder but not the files inside it
semanage fcontext -a -f -d -t httpd_sys_content_t "/home/zopeuser"

#Apache will be able to access all this folder, its files and subfolders
semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?"

#apply changes
restorecon -R /home/zopeuser

> If you just want to allow search access so that it can

traverse the user home directory to reach the data subdirectory, there
should be a boolean (httpd_enable_homedirs) that you can enable.

I'm aware of that boolean and it seems to be the simplest solution;
however, I have other user folders, which I don't want apache accesses,
so, I opted to the semanage alternative.

Thanks and have a nice day
Josef

References:
- Allowing a apache to access a user folder by using semanage
  - From: Josef Meile
- Re: Allowing a apache to access a user folder by using semanage
  - From: Jan-Frode Myklebust
- Re: Allowing a apache to access a user folder by using semanage
  - From: Josef Meile
- Re: Allowing a apache to access a user folder by using semanage
  - From: Stephen Smalley
- Re: Allowing a apache to access a user folder by using semanage
  - From: Josef Meile
- Re: Allowing a apache to access a user folder by using semanage
  - From: Josef Meile
- Re: Allowing a apache to access a user folder by using semanage
  - From: Stephen Smalley

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]