Selinux permissions for aliased httpd directories
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 6 19:08:54 UTC 2005
Simon Andrews wrote:
> I'm trying to set up an alias within httpd to a set of directories
> outside the normal document root. I can set this up OK, but when I
> try to access it I get selinux errors and a 403 forbidden response.
>
> Jun 2 15:59:42 server1 kernel: audit(1117724382.438:0): avc: denied
> { search } for pid=4757 exe=/usr/sbin/httpd name=/ dev=sda9 ino=2
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
> tclass=dir
> Jun 2 15:59:42 server1 kernel: audit(1117724382.438:0): avc: denied
> { getattr } for pid=4757 exe=/usr/sbin/httpd path=/data dev=sda9
> ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
> tclass=dir
>
> The directories I want to access are under /data/private/ and I tried
> to permit this by using:
>
> chcon -R -t httpd_sys_content_t dirname/
>
> on static directories, and
>
> chcon -R -t httpd_sys_script_exec_t dirname/
>
> on cgi directories
>
>
> ..but I still get errors at the levels below that (/ and /data/). I
> don't really want all of these accessible, and I don't really want to
> turn off selinux altogether.
>
> I'd therefore like either:
>
> 1) To find a way to not have httpd try to read / and /data (why is it
> doing this anyway? It doesn't seem to need this to get to /var/www)
>
> 2) A suitable change to the selinux policy to allow httpd to traverse
> the lower level directories
>
> 3) I'd settle for a way to disable selinux altogether for the /data
> partition (though I can't help feeling this is a bit of a cop out!)
>
> Cheers
>
> Simon.
>
file_t indicates that the file system has not been labeled. Do a
restorecon -R -v /data
You might need to label /data as var_t.
--
More information about the users
mailing list