SELinux & apache/httpd access to /home/*/www
Stephen Smalley
sds at epoch.ncsc.mil
Wed Sep 15 16:03:05 UTC 2004
On Wed, 2004-09-15 at 08:32, Cream[DONut] wrote:
> Hello,
>
> My problem is this:
> I host some small PHP & MySQL websites for friends and family, they have
> their VirtualHost DocumentRoot's in "/home/[name]/www" (and is working
> fine with SELinux disabled).
>
> I am running SELinux with SELINUX=enforcing, SELINUXTYPE=targeted.
>
> SELinux seems to be blocking httpd from accessing /home/name/www,
> atleast when trying to start apache it complains:
> Starting httpd: Warning: DocumentRoot [/home/xxxxxx/www] does not exist
> Warning: DocumentRoot [/home/yyyyy/www] does not exist
> [FAILED]
>
> (The non virtualhost root in /var/www/html works fine, but if moved to
> /home/xxxxxx/www it fails)
>
> /etc/selinux/targeted/contexts/files/file_contexts contains:
> # apache
> /home/[^/]+/((www)|(web)|(public_html))(/.+)?
> system_u:object_r:httpd_user_content_t
>
> Which to me would seem to match the /home/[name]/www
> (I have tried upgrading to selinux-policy-targeted-1.17.12-1, but it
> didnt fix the problem)
>
> (I have the individual logfiles in /home/[name]/log, which probably
> presents another problem.)
>
> I dont quite understand the quirks of SELinux, so I'd certainly
> appriciate some direction.
audit2allow -v -d will generate allow rules from the audit messages
generated by any denials, or you can inspect dmesg output or
/var/log/messages directly for lines that have "avc: denied...".
ls -aZ /home/[name]/www will show you the current security contexts on
the directory and its files.
One possible cause would be that the filesystem type for /home doesn't
support extended attributes (e.g. NFS) and thus SELinux couldn't label
/home/[name]/www with the expected type.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list