Re: Making SELinux allow access to certain directories [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marko Vojinovic wrote:
> On Monday 15 October 2007 19:24, Daniel J Walsh wrote:
>> Marko Vojinovic wrote:
>>> I am a newbie to SELinux, so would prefer not to create local policies
>>> etc. What should I do in order to allow access for a typical service to
>>> typical directory?
>> You need to change the labeling on /www
>>
>> Probably something like
>>
>> # semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?'
>> # restorecon -R -v /www
>>
>> In order to allow httpd to read content in home directories
>> you need to turn on httpd_enable_homedirs
>>
>> setsebool -P httpd_enable_homedirs 1
> 
> Thanks! This works great! :-)
> 
> I was amazed to see the wealth of switches listed by getsebool -a once I found 
> out about it. Also when I discovered that your answer was actually in 
> examples section of man semanage :-) ...
> 
> I am going to like SELinux once I get familiar with the ways to configure it.
> 
> Btw, what is the actual difference between targeted and strict policies? Why 
> are there two of them? I mean, if someone uses SELinux to make the system 
> more secure, why is there a distinction between "more secure" and "half more 
> secure"?
> 
> Thanks for the help! :-)
> 
> Best regards, :-)
> Marko
> 
> Marko Vojinovic
> Institute of Physics
> University of Belgrade
> ======================
> e-mail: vmarko@xxxxxxxxxxxx
> 
The main different between strict and targeted in F6 and beyond and
RHEL5 is that strict confines userspace while targeted only confined
system space.

As of Fedora 8 strict policy no longer exists.  You can combine
unconfined users with confined user (xguest, guest).  This allows you to
have some thoroughly locked down users while running the trusted users
as full capability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHFhfBrlYvE4MpobMRAsG0AKC8qj3AoXjrxubHJasVCGS++PuKfACfU6pF
ytHzMbSaZfZScXAdVzqDE6Q=
=B1Qn
-----END PGP SIGNATURE-----

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux