Another Apache problem
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 4 20:09:14 UTC 2005
David Hampton wrote:
>I noticed that I had "r_dir_file(httpd_t, httpdcontent)" in my
>domains/misc/local.te file so I removed it. After I did this I started
>getting avc errors for all web access to my server. Audit2allow says I
>need:
>
>allow httpd_t httpd_sys_content_t:dir { getattr search };
>allow httpd_t httpd_sys_content_t:file { getattr read };
>
>Poking through the policy sources, it appears that httpd_t no longer has
>permission to read files with the httpdcontent attribute. Grep shows
>only this one place where httpd_t gets permission to read the content...
>
>./domains/program/apache.te:create_dir_file(httpd_t, httpdcontent)
>
>...but this line is protected by what looks like a four way conditional
>and doesn't appear to have any effect. Would it make sense to add
>unconditional read access to httpd before checking/allowing write and
>execute access on the files?
>
>My system is an FC3 base running with Daniel Walsh's 1.23.6-1 strict
>policy.
>
>David
>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Do you have httpd_unified && httpd_enable_cgi && httpd_builtin_scripting
turned on?
getsebool -a | grep httpd
setsebool -P httpd_enable_cgi=1 httpd_unified=1 httpd_builtin_scripting=1
Will turn it on.
--
More information about the selinux
mailing list