SELinux & apache/httpd access to /home/*/www

Cream[DONut] lists at donut.dk
Fri Sep 17 16:40:39 UTC 2004


Stephen Smalley wrote:
> On Fri, 2004-09-17 at 08:17, Cream[DONut] wrote:
> 
>>when starting httpd, it just fails, there are no AVC messages in 
>>/var/log, but for testing purpose I set DocumentRoot to the / root of 
>>the server, which worked, then i tried going to /home, which didnt work, 
>>I couldnt open /home/xxxxxx or /home/xxxxxx/www.
> 
> 
> BTW, when you see no AVC messages but think that SELinux is the culprit,
> do a 'make enableaudit load' in the policy source directory and try
> again, and then do a 'make clean load' to revert.  That is noted in the
> Fedora SELinux FAQ.  Certain audit messages are explicitly suppressed by
> default using dontaudit rules in the policy to avoid filling the logs
> with noise, and the 'enableaudit' removes those rules to ensure that you
> see every denial.
> 

with make enableaudit load
Sep 17 18:23:15 DONut kernel: audit(1095438195.775:0): avc:  denied  { 
read write } for  pid=2822 exe=/usr/sbin/httpd path=/dev/pts/0 
dev=devpts ino=2 scontext=root:system_r:httpd_t 
tcontext=root:object_r:devpts_t tclass=chr_file
Sep 17 18:23:16 DONut httpd: httpd startup succeeded

when trying to accessing http://server/~xxxxxx/
Sep 17 18:24:10 DONut kernel: audit(1095438250.555:0): avc:  denied  { 
search } for  pid=2826 exe=/usr/sbin/httpd name=xxxxxx dev=hda2 
ino=886604 scontext=root:system_r:httpd_t 
tcontext=system_u:object_r:user_home_dir_t tclass=dir
Sep 17 18:24:10 DONut kernel: audit(1095438250.556:0): avc:  denied  { 
getattr } for  pid=2826 exe=/usr/sbin/httpd path=/home/xxxxxx dev=hda2 
ino=886604 scontext=root:system_r:httpd_t 
tcontext=system_u:object_r:user_home_dir_t tclass=dir

Anyway, thanks for the help, dont give it too much attention, i'll 
install test2 next week, and let you know how it goes.

regards
Kris



More information about the fedora-selinux-list mailing list