I'm trying to let httpd write to a subdirectory of ~/public_html and I'm running into SELinux errors on Fedora 10. The error message directs me to "man httpd_selinux", which describes several context types. Of these, httpd_sys_content_rw_t sounds like what I want; however, chcon doesn't seem to know about it:
$ chcon -R httpd_sys_content_rw_t mydir chcon: invalid context: httpd_sys_content_rw_t
And FWIW, the "Fix Command" offered by the SELinux error message ("setsebool -P httpd_unified=1") doesn't seem to help, either.
How do I need to massage SELinux to make this work?
On Friday 13 March 2009 04:10:46 Braden McDaniel wrote:
I'm trying to let httpd write to a subdirectory of ~/public_html and I'm running into SELinux errors on Fedora 10. The error message directs me to "man httpd_selinux", which describes several context types. Of these, httpd_sys_content_rw_t sounds like what I want; however, chcon doesn't seem to know about it:
$ chcon -R httpd_sys_content_rw_t mydir chcon: invalid context: httpd_sys_content_rw_t
And FWIW, the "Fix Command" offered by the SELinux error message ("setsebool -P httpd_unified=1") doesn't seem to help, either.
How do I need to massage SELinux to make this work?
~#] ls- l drwxrwxr-x amessina apache system_u:object_r:httpd_user_content_rw_t:s0 public_html
you need to allow apache basic user perms to write to that directory, and you need the httpd_user_content_rw_t:s0 context set on the public_html directory.
On Fri, 2009-03-13 at 05:10 -0400, Braden McDaniel wrote:
I'm trying to let httpd write to a subdirectory of ~/public_html and I'm running into SELinux errors on Fedora 10. The error message directs me to "man httpd_selinux", which describes several context types. Of these, httpd_sys_content_rw_t sounds like what I want; however, chcon doesn't seem to know about it:
$ chcon -R httpd_sys_content_rw_t mydir chcon: invalid context: httpd_sys_content_rw_t
You would need to use the "-t" option to specify just the type without specifying a full security context. But you should be able to just run: restorecon -v mydir
And FWIW, the "Fix Command" offered by the SELinux error message ("setsebool -P httpd_unified=1") doesn't seem to help, either.
How do I need to massage SELinux to make this work?
On Fri, 2009-03-13 at 08:29 -0400, Stephen Smalley wrote:
On Fri, 2009-03-13 at 05:10 -0400, Braden McDaniel wrote:
I'm trying to let httpd write to a subdirectory of ~/public_html and I'm running into SELinux errors on Fedora 10. The error message directs me to "man httpd_selinux", which describes several context types. Of these, httpd_sys_content_rw_t sounds like what I want; however, chcon doesn't seem to know about it:
$ chcon -R httpd_sys_content_rw_t mydir chcon: invalid context: httpd_sys_content_rw_tYou would need to use the "-t" option to specify just the type without specifying a full security context.
Aha.
But you should be able to just run: restorecon -v mydir
That makes the type "httpd_user_content_t", which doesn't let httpd write to the directory. Using "chcon -t" to change the type to httpd_user_content_rw_t does the trick, though. Thanks.
On Sat, Mar 14, 2009 at 02:45:43 -0400, Braden McDaniel braden@endoframe.com wrote:
That makes the type "httpd_user_content_t", which doesn't let httpd write to the directory. Using "chcon -t" to change the type to httpd_user_content_rw_t does the trick, though. Thanks.
You really want to use semanage to make the changes permanent. chcon is OK for quick tests, but if you don't use semanage, then restorecon won't know about the change and the next time that file gets checked during a relabel, it will get its context changed back again.
-
Anthony Joseph Messina -
Braden McDaniel -
Bruno Wolff III -
Stephen Smalley