Karl DeBisschop wrote:
Here's the audit from /var/log/messages:
Apr 2 04:09:33 xxxxx kernel: audit(1080896972.999:0): avc: denied { getattr } for pid=1156 exe=/usr/sbin/httpd path=/var/www/manual/index.html dev=md0 ino=1473314 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:var_t tclass=file
System is FC2 devel in enforcing mode, the only change I have made to
policies is to add myself as an adminstrative user.
File context problem.
I have modified the context in policy-1.9.2-9 to label everything under /var/www as content unless it is specified later
This is the patch, you will need to relabel after updating the policy files
setfiles /etc/security/selinux/file_contexts /var/www
--- apache.fc.20040403 2004-03-31 15:52:27.000000000 -0500
+++ apache.fc 2004-04-03 01:37:24.360416240 -0500
@@ -1,12 +1,9 @@
# apache
HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
-/var/www -d system_u:object_r:httpd_sys_content_t
-/var/www/html(/.*)? system_u:object_r:httpd_sys_content_t
-/var/www/mrtg(/.*)? system_u:object_r:httpd_sys_content_t
+/var/www(/.*)? system_u:object_r:httpd_sys_content_t
/var/www/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
/usr/lib(64)?/cgi-bin(/.*)? system_u:object_r:httpd_sys_script_exec_t
/var/www/perl(/.*)? system_u:object_r:httpd_sys_script_exec_t
-/var/www/icons(/.*)? system_u:object_r:httpd_sys_content_t
/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t
/etc/httpd -d system_u:object_r:httpd_config_t
/etc/httpd/conf.* system_u:object_r:httpd_config_t
