[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux & apache/httpd access to /home/*/www

Daniel J Walsh wrote:
> 1. In order to maintain the SELinux protection on Apache, you could
> change the context of the directrory and files you wish to share.
>    a chcon -t  -R httpd_user_content_t /home/*/www
>    b Then restart apache and try to access the pages.       service
> httpd restart

I assume you mean "chcon -R -t httpd_user_content_t /home/*/www", since the context you posted doesnt work. But it doesnt fix the problem, apache still cant i still get "DocumentRoot [/home/xxxxxx/www] does not exist".

la -latZ /home/
drwxr-x---  xxxxxx   apache   system_u:object_r:user_home_dir_t xxxxxx

ls -latZ /home/xxxxxx
drwxr-xr-x  xxxxxx   xxxxxx   system_u:object_r:httpd_user_content_t www

I checked that the apache user could open the files, even in enforcing targeted mode

> 2.  You can disable SELinux protextion for apache.
>      a. Run selinux-config-securitylevel and select the SELinux tab.
>      b. In the Modify SELinux Policy box, select the transitions list
> item and expand.
>      c. Check the Disable SELinux protection for httpd daemon line.
>      d. Click ok
>      e. Restart apache
>         service httpd restart

Do you mean system-config-securitylevel? because i dont have any selinux-config-securitylevel, but my system-config-securitylevel doesnt display any SELinux related stuff. (I prefer to edit the configs in emacs, it seems to give me a better picture of how it works).

Still not sure how to disable auditing of the httpd in targeted mode.

> 3.  Disable SELinux
>       a. Run selinux-config-securitylevel and select the SELinux tab.
>       b. UnClick Enabled
>       c. Click Ok
>       d. Reboot.

or SELINUX=disabled in /etc/selinux/config,
or selinux=0 in the boot config,
but I'd like to give SELinux a try. (at the moment targeted mode seems to be the right one for me)

Stephen Smalley wrote:
> audit2allow -v -d will generate allow rules from the audit messages
> generated by any denials, or you can inspect dmesg output or
> /var/log/messages directly for lines that have "avc:  denied...".

I figured if i ran the system in strict & permissive mode, and then ran the system trough the paces it would be expected to do in normal day operations, I would be able to build a good "seed file".

I havent been able to find any page discribing what to do with that file, but im guessing it should somehow be used in /etc/selinux/strict/src/policy.

(the system halts during booting if its in strict & enforcing mode)

> ls -aZ /home/[name]/www will show you the current security contexts on
> the directory and its files.

handy, thanks

> One possible cause would be that the filesystem type for /home doesn't
> support extended attributes (e.g. NFS) and thus SELinux couldn't label
> /home/[name]/www with the expected type.

/home is not NFS, its ext3

Thanks for taking the time to respond to my initial post. Kris

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]