Patrick O'Callaghan wrote:
I've set up a simple web server for private use (though I will
enable
https access from outside the network), but I want some of the content
to be outside the default /var/www/html tree. When I do this, I get
file access errors when SElinux is enabled, but not when I set
'setenforcing=0'.
I'd prefer to use SElinux as intended, so what do I need to do?
You should just need to set the proper file context for the
new location. The `semanage fcontext` command is what you'd
use. There are a few options:
semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
restorecon -F -R -v /var/httpd
or
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
restorecon -R -v /web
The first is from semanage-fcontext(8) and the second is
from httpd_selinux(1) (in the selinux-policy-doc package)¹.
Either context should work. The `public_content_t` works
across some other services, so it's a little more generic
(plus it's shorter and clearer, at least to me). The
difference in path for those examples is inconsequential.
¹ Yes, if you knew what command to use, finding the manpage
would be the easy part. :)
The *_selinux man pages are pretty handy. A large number
of SELinux confined services have similar man pages.
They're generally a good starting point for finding out
how to manage and adjust the policy for a given service.
--
Todd