[OT] Deafening silence
Daniel J Walsh
dwalsh at redhat.com
Mon Mar 15 12:04:49 UTC 2010
On 03/15/2010 07:10 AM, Roger wrote:
> well I've found the selinux list to be a much better place to get help
>
>> with selinux stuff than this list but I would expect that if you had put
>> drupal stuff into /var/www and made a soft link in /home to that
>> directory you would have not had any issues with selinux at all. If you
>> try to move the files now, I would suspect that they would have to be
>> relabeled since they probably have home contexts and not html contexts
>> (man restorecon) and that would have to be fixed. I think you can also
>> set a boolean operator to tell it that you are serving html pages from
>> users home directories but I'm not sure from your description that you
>> actually have drupal in a users folder.
>>
>> Craig
>>
>
>> I have working installations of Drupal 6.16 and 7 in /var/www/html and
>> seLinux objects
>>
> latest is:
> SELinux has denied httpd access to potentially mislabeled file(s)
> (Eckankar.png). This means that SELinux will not allow httpd to use
> these files. It is common for users to edit files in their home
> directory or tmp directories and then move (mv) them to system
> directories. The problem is that the files end up with the wrong file
> context which confined applications are not allowed to access.
>
> but Drupal uses that image file so I don't take any notice.
>
> others are like:
> SELinux has denied the sendmail access to potentially mislabeled files
> /var/spool/clientmqueue. This means that SELinux will not allow httpd to
> use these files. Many third party apps install html files in directories
> that SELinux policy cannot predict. These directories have to be labeled
> with a file context which httpd can access.
>
> I installed a new copy of Drupal in /home/user/directory and set
> /etc/httpd/conf/httpd.conf to point to that directory but get denials.
>
> I have no understanding of contexts - its another thing I have to get to
> grips with.
> Thanks
> Roger
>
SELinux is just about labeling. In a way permissions are just labels
also. Ownership and Permission Map could be thought of as a label.
Processes has a label of UID and files have labels of UID + Permission
Map. With SELinux Process have a label (Security COntext) and files
have a label (file Context). Then SELinux inforces rules about how
process Security Context interact with File Security Context.
This document explains what SELinux is trying to tell you.
http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
If you sent me your AVC messages(SELinux Errors) I could help you get
rid of them.
ausearch -m avc -ts recent
Is a command that tells the audit system to give you all of the recent
SELinux messages from the audit system.
More information about the users
mailing list