Patrick O'Callaghan wrote:
> I've set up a simple web server for private use (though I will enable
> https access from outside the network), but I want some of the content
> to be outside the default /var/www/html tree. When I do this, I get
> file access errors when SElinux is enabled, but not when I set
> 'setenforcing=0'.
>
> I'd prefer to use SElinux as intended, so what do I need to do?
You should just need to set the proper file context for the
new location. The `semanage fcontext` command is what you'd
use. There are a few options:
semanage fcontext -a -t public_content_t "/var/httpd(/.*)?"
restorecon -F -R -v /var/httpd
or
semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
restorecon -R -v /web
The first is from semanage-fcontext(8) and the second is
from httpd_selinux(1) (in the selinux-policy-doc package)¹.
Either context should work. The `public_content_t` works
across some other services, so it's a little more generic
(plus it's shorter and clearer, at least to me). The
difference in path for those examples is inconsequential.
¹ Yes, if you knew what command to use, finding the manpage
would be the easy part. :)
The *_selinux man pages are pretty handy. A large number
of SELinux confined services have similar man pages.
They're generally a good starting point for finding out
how to manage and adjust the policy for a given service.
--
Todd
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
