Allowing a apache to access a user folder by using semanage

Josef Meile jmeile at hotmail.com
Wed May 9 20:09:27 UTC 2007 

Hi Jan

>> I'm trying to allow apache to read a user folder as follows:
>>
>> % semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
> 
> semanage doesn't update the labels of existing files. So you'll
> need to run "restorecon -R /home/zopeuser/data" before this
> will work.
I did what you suggested; however lots of messages like this appeared:

restorecon set context
/home/zopeuser/data/certs/demoCA/certs->system_u:object_r:httpd_t:s0
failed:'Permission denied'

Then I tried:
fixfiles restore

But again I got lots of errors like this:

/sbin/setfiles:  unable to relabel /home/zopeuser/data/certs/demoCA to
system_u:object_r:httpd_t:s0
/home/zopeuser/data/certs/demoCA/crl: Permission denied

Even this doesn't works:
% touch /.autorelabel
% reboot

But this is I got in the message log after rebooting:

May  9 22:16:39 my_host kernel: audit(1178741787.823:58): avc:  denied 
{ relabelto } for  pid=1368 comm="setfiles" name="data" dev=hda4 
ino=2121605 scontext=system_u:system_r:setfiles_t:s0 
tcontext=system_u:object_r:httpd_t:s0 tclass=dir
May  9 22:16:39 my_host kernel: audit(1178741787.823:59): avc:  denied 
{ associate } for  pid=1368 comm="setfiles" name="data" dev=hda4 
ino=2121605 scontext=system_u:object_r:httpd_t:s0 
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
May  9 22:16:39 my_host kernel: audit(1178741787.834:60): avc:  denied 
{ read } for  pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 
scontext=system_u:system_r:setfiles_t:s0 
tcontext=system_u:object_r:httpd_t:s0 tclass=dir
May  9 22:16:39 my_host kernel: audit(1178741787.834:61): avc:  denied 
{ search } for  pid=1368 comm="setfiles" name="data" dev=hda4 
ino=2121605 scontext=system_u:system_r:setfiles_t:s0 
tcontext=system_u:object_r:httpd_t:s0 tclass=dir

Till here I don't know what to do. Unfortunately must documentation
I found talk about using the "Security Level and Firewall" menu entry
from Gnome, but I don't have X nor I want to install it.

Thanks for the reply anyway.

More information about the fedora-selinux-list mailing list