Allowing a apache to access a user folder by using semanage
Stephen Smalley
sds at tycho.nsa.gov
Thu May 10 12:18:25 UTC 2007
On Wed, 2007-05-09 at 23:16 +0200, Josef Meile wrote:
> > Ok, then is httpd_sys_content_t the right one? I solve it as follows:
> >
> > semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
> > chcon -R -t httpd_sys_content_t /home/zopeuser/data
> >
> > It works now, but is it the correct way?
>
> A small correction there. It should be
> semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
> chcon -R -t httpd_sys_content_t /home/zopeuser
>
> If you don't give access to the user's root directory, then apache will
> still fail.
The semanage command should also use httpd_sys_content_t, and you should
run restorecon -R /home/zopeuser/data after the semanage command rather
than using chcon. semanage adds the entry to the system's
file_contexts.local mapping, and restorecon then consults the system's
file contexts files to determine the right context to apply.
Do you really want to allow apache to fully access the user's home
directory? If you just want to allow search access so that it can
traverse the user home directory to reach the data subdirectory, there
should be a boolean (httpd_enable_homedirs) that you can enable.
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list