selinux question

Tim Fenn fenn at stanford.edu
Tue Feb 1 03:21:01 UTC 2005


I have mythtv installed at home, and currently use a partition on a
separate drive to store my recorded shows (/dev/hda1, mapped as
/data1).  I recently installed mythweb, which seems to be working fine
except for one minor issue - whenever I try to list the recorded
programs via the mythweb interface, php errors pop up with permission
issues, and the following appears in my kernel log:

kernel: audit(1107226430.548:0): avc:  denied  {
search }
for  pid=29290 exe=/usr/sbin/httpd name=/ dev=hda1 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t
tclass=dir

kernel: audit(1107226430.549:0): avc:  denied  {
getattr } for  pid=29290 exe=/usr/sbin/httpd path=/data1 dev=hda1
ino=2 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:default_t tclass=dir

kernel: audit(1107226430.549:0): avc:  denied  {
getattr } for  pid=29290 exe=/usr/sbin/httpd path=/data1 dev=hda1
ino=2 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:default_t tclass=dir

which makes sense, I suppose - httpd shouldn't be touching stuff in
/data1 - but I'd like to allow httpd to see these files.  As far as my
limited understanding goes (I'm still trying to grok selinux), is the
best way to do this to add an entry in
/etc/selinux/targeted/contexts/files/file_contexts, then fire up
restorecon?

Thanks for any help,
Tim

-- 
Morals?  I eat communism and $h!t America, brother.  --Seanbaby




More information about the fedora-list mailing list