Eric, I am clear with how AppArmor work and how to set them up correctly. What I do not have a clear picture is why this setting below still not allow any network to access this particular directory unless I have it define as ALLOW FROM ALL. ** This syntax and options will work **** <Directory "/srv/www/my-domain/images/"> Allow from all </Directory> ** This syntax and options will not allow any network to access ********* <Directory "/srv/www/my-domain/images/"> Options None Order deny,allow Deny from all Allow from 172.10.10.0/255.255.255.0 </Directory> ** However, if I use this syntax and options it will work or allow every network **** <Directory "/srv/www/my-domain/images/"> Allow from all </Directory> Thank you, Y ----- Original Message ----- From: "Eric Covener" <covener@xxxxxxxxx> To: users@xxxxxxxxxxxxxxxx Sent: Thursday, October 16, 2008 1:48:23 PM (GMT-0500) America/New_York Subject: Re: Apache directory access & Suse AppArmor On Wed, Oct 15, 2008 at 10:55 PM, Yoom Nguyen <yoom@xxxxxxxxxxxxxx> wrote: > Eric, > > I got most of what you described but there are still something unclear to me. > If I want the WHOLE directory /images to allow view by the OS (AppArmor) and deny view via the network by > every other network except net work 172.10.10.0/255.255.255.0 to read. > Only allow network 172.10.10.0/255.255.255.0 to view or access. > What are the syntax look like? Sorry, I can only speak to the Apache side of it, which looks fine. Of course if you configure your OS to make something unreadable, the apache access control is moot. > 2. From Appache configuration file, add the following lines: > > <Directory "/srv/www/my-domain/images/"> > Options None > Order deny,allow > Deny from all > Allow from 172.10.10.0/255.255.255.0 > </Directory> -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx