Re: SELinux: home dir is symlink, httpd from files in home dir
Thank you very much for your very helpful reply, Colin.
On Wed, Jan 19, 2005 at 09:48:30PM -0500, Colin Walters wrote:
On Thu, 2005-01-20 at 11:23 +1100, Nick Urbanik wrote:
> Dear Folks,
>
> I'm totally new to SELinux, and am quite confused on a number of
> points.
>
> I took the plunge and enabled SELinux on this FC3 box.
> Problem is with Apache.
Have you read the Fedora Apache guide?
Thank you, yes, it is very helpful.
http://fedora.redhat.com/docs/selinux-apache-fc3/
It's slightly out of date but still informative, I think.
Thanks. I have finally got everything to work, and now will make it
work more securely.
> I have symlinks pointing to my home
> directory,
This will cause a number of problems. Many programs are given the
permissions 'getattr' and 'search' on user_home_dir_t:dir, so they can
access the toplevel home directory but not necessarily anything
contained in it. The ":dir" part here is important, as it means the
permissions are restricted to directories with that type; symlinks are
not allowed.
I wonder why you're symlinking into /opt,
I have a 512 gigabyte 3ware raid partition, and am using it for many
different purposes, and had used symlinks to access it. I'm changing
it to mount as you sensibly suggest.
but assuming for now that's what you have to do, one solution
might
be to use bind mounts instead of symlinks:
rm /home/nicku
mkdir /home/nicku
mount -obind /opt/nicku /home/nicku
You can add the bind mount to /etc/fstab so it's done automatically.
That's a wonderful idea! The mount man page indicates that I can use
mount --move /opt/nicku /home/nicku
to achieve exactly what I wanted originally. Does that work well?
Yeah; use misc/local.te instead, or the like. te files in program
require a corresponding .fc file to be enabled.
Yes, I finally realised that's where it should go.
--
Nick Urbanik RHCE http://nicku.org nicku(at)nicku.org
Proud ex-member of Dept. of Information & Communications Technology in
Hong Kong IVE (Tsing Yi), Home of Visual Paradigm: Jolt Productivity
Award winner, programmed by ICT's own graduates!
GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
Attachments:
- attachment.sig (application/pgp-signature — 189 bytes)