Re: How to set SELinux to allow apache-httpd only to access a particular user's content?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/13/2011 01:00 PM, Varuna Seneviratna wrote:
> I tried to set the ServerRoot to a Directory in my home Dirctory.But
> when tried to start httpd after setting ServerRoot and saving the
> httpd.conf file SELinux repoted the following
> 
>        SELinux is preventing /usr/sbin/httpd from search access on the
> directory /home/<Home Directory>.
> 
>          *****  Plugin catchall_boolean (47.5 confidence) suggests
> *******************
> 
>        If you want to allow httpd to read user content
>        Then you must tell SELinux about this by enabling the
> 'httpd_read_user_content' boolean.
>       Do
>      setsebool -P httpd_read_user_content 1
> 
> I want to know How to set setsebool to allow httpd to access only the
> content of a particular user?
> 
> The manual pages of setsebool(8) and getsebool(8) can not be viewed,
> when the command man getsebool(8) the output is "-bash: syntax error
> near unexpected token `(' "
> 
> The SELinux FAQ at
> http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3128699
> is as follows
>       Q:
>         How do I enable/disable SELinux protection on specific daemons
> under the targeted policy?
>        A:
>            Use system-config-selinux, also known as the SELinux
> Administration graphical tool, to control the Boolean values of
> specific daemons. For example, if you need to disable SELinux for
> Apache to run correctly in your environment, you can disable the value
> in system-config-selinux. This change disables the transition to the
> policy defined in apache.te, allowing httpd to remain under regular
> Linux DAC security.
> The getsebool and setsebool commands can also be used, including on
> systems that do not have the system-config-selinux tool. Please refer
> to the manual pages for these commands: getsebool(8) and setsebool(8)
> for further details on their operation.
> 
> Varuna


Turn on httpd_enable_homedirs then label the data in /home/BLAH to be
httpd_sys_content_t.

# setsebool -P httpd_enable_homedirs 1
# semanage fcontext -a -t httpd_sys_content_t '/home/BLAH(/.*)?'
# restorecon -R -v /home/BLAH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2l5hsACgkQrlYvE4MpobM6RQCfW56Gfk9ZmbgWiz4tQt1sGaDN
djUAn3uJYHyB2tZ1+lFtDxyXoNwXJ7zG
=EHzH
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux