simple question with home serviing ruby on rails web site
Paul Howarth
paul at city-fan.org
Sat Jun 14 15:51:18 UTC 2008
On Sat, 14 Jun 2008 08:05:56 -0700
Craig White <craigwhite at azapple.com> wrote:
> I'm running in permissive mode so all I'm getting is warnings but I'm
> wondering the best way to solve this...
>
> error every time httpd starts...
>
> SELinux has denied httpd access to potentially mislabeled file(s)
> (./svn-new). This means that SELinux will not allow httpd to use these
> files. It is common for users to edit files in their home directory or
> tmp directories and then move (mv) them to system directories. The
> problem is that the files end up with the wrong file context which
> confined applications are not allowed to access. Allowing AccessIf you
> want httpd to access this files, you need to relabel them using
> restorecon -v './svn-new'. You might want to relabel the entire
> directory using restorecon -R -v './svn-new'. Additional
> InformationSource Context:
> system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context:
> user_u:object_r:user_home_tTarget Objects: ./svn-new [ dir ]Source:
> httpdSource Path: /usr/sbin/httpd
>
>
> /home/craig/svn-new is an svn checkout and is the 'RAILS ROOT'
> directory for the web server.
>
> $ ls -ldZ /home/craig/svn-new/
> drwxrwxr-x craig craig
> user_u:object_r:user_home_t /home/craig/svn-new/
>
> This is on Fedora 9. In the past, I could have used
> system-config-security and set selinux to allow web page serving from
> user home directories but I don't see that tool any more.
>
> What's the best way to handle this?
Easiest is just to fix the contexts of the files:
# semanage fcontext -a -t httpd_sys_content_t
'/home/craig/svn-new(/.*)?'
# restorecon -rv /home/craig/svn-new
I'm not familiar with rails or how you maintain your svn checkout, so
httpd_sys_content_t may not be the appropriate type for all of the
content (are there any scripts in there, are you uploading content via
ftp, samba, etc.?). Since you're in permissive mode, it's not going to
cause you any problem other than possibly different warnings though.
If you maintain the checkout by manually doing an "svn update" from
your regular account, and the content isn't "executed" by httpd,
httpd_sys_content_t should be fine.
Paul.
More information about the fedora-selinux-list
mailing list