On Wed, 2004-09-15 at 08:32, Cream[DONut] wrote: > Hello, > > My problem is this: > I host some small PHP & MySQL websites for friends and family, they have > their VirtualHost DocumentRoot's in "/home/[name]/www" (and is working > fine with SELinux disabled). > > I am running SELinux with SELINUX=enforcing, SELINUXTYPE=targeted. > > SELinux seems to be blocking httpd from accessing /home/name/www, > atleast when trying to start apache it complains: > Starting httpd: Warning: DocumentRoot [/home/xxxxxx/www] does not exist > Warning: DocumentRoot [/home/yyyyy/www] does not exist > [FAILED] > > (The non virtualhost root in /var/www/html works fine, but if moved to > /home/xxxxxx/www it fails) > > /etc/selinux/targeted/contexts/files/file_contexts contains: > # apache > /home/[^/]+/((www)|(web)|(public_html))(/.+)? > system_u:object_r:httpd_user_content_t > > Which to me would seem to match the /home/[name]/www > (I have tried upgrading to selinux-policy-targeted-1.17.12-1, but it > didnt fix the problem) > > (I have the individual logfiles in /home/[name]/log, which probably > presents another problem.) > > I dont quite understand the quirks of SELinux, so I'd certainly > appriciate some direction. audit2allow -v -d will generate allow rules from the audit messages generated by any denials, or you can inspect dmesg output or /var/log/messages directly for lines that have "avc: denied...". ls -aZ /home/[name]/www will show you the current security contexts on the directory and its files. One possible cause would be that the filesystem type for /home doesn't support extended attributes (e.g. NFS) and thus SELinux couldn't label /home/[name]/www with the expected type. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
