Cream[DONut] wrote:
Daniel J Walsh wrote: > 1. In order to maintain the SELinux protection on Apache, you could > change the context of the directrory and files you wish to share. > a chcon -t -R httpd_user_content_t /home/*/www > b Then restart apache and try to access the pages. service > httpd restart
I assume you mean "chcon -R -t httpd_user_content_t /home/*/www", since the context you posted doesnt work. But it doesnt fix the problem, apache still cant i still get "DocumentRoot [/home/xxxxxx/www] does not exist".
What are the AVC messages you are seeing in the /var/log/messages file.
Yes system-config-securitylevel, you need to upgrade to a newer version.
la -latZ /home/ drwxr-x--- xxxxxx apache system_u:object_r:user_home_dir_t xxxxxx
ls -latZ /home/xxxxxx drwxr-xr-x xxxxxx xxxxxx system_u:object_r:httpd_user_content_t www
I checked that the apache user could open the files, even in enforcing targeted mode
> > 2. You can disable SELinux protextion for apache. > a. Run selinux-config-securitylevel and select the SELinux tab. > b. In the Modify SELinux Policy box, select the transitions list > item and expand. > c. Check the Disable SELinux protection for httpd daemon line. > d. Click ok > e. Restart apache > service httpd restart
Do you mean system-config-securitylevel? because i dont have any selinux-config-securitylevel, but my system-config-securitylevel doesnt display any SELinux related stuff. (I prefer to edit the configs in emacs, it seems to give me a better picture of how it works).
But you can edit the booleans file in /etc/selinux/targeted/booleans if you like and add a boolean
http_disable_trans=1, then type "setsebool http_disable_trans 1". Stop and restart the http service.
Get the AVC messages and we can get it working. audit2allow -i /var/log/messagesStill not sure how to disable auditing of the httpd in targeted mode.
> 3. Disable SELinux > a. Run selinux-config-securitylevel and select the SELinux tab. > b. UnClick Enabled > c. Click Ok > d. Reboot.
or SELINUX=disabled in /etc/selinux/config,
or selinux=0 in the boot config,
but I'd like to give SELinux a try. (at the moment targeted mode seems to be the right one for me)
Stephen Smalley wrote: > audit2allow -v -d will generate allow rules from the audit messages > generated by any denials, or you can inspect dmesg output or > /var/log/messages directly for lines that have "avc: denied...".
I figured if i ran the system in strict & permissive mode, and then ran the system trough the paces it would be expected to do in normal day operations, I would be able to build a good "seed file".
I havent been able to find any page discribing what to do with that file, but im guessing it should somehow be used in /etc/selinux/strict/src/policy.
(the system halts during booting if its in strict & enforcing mode)
> ls -aZ /home/[name]/www will show you the current security contexts on > the directory and its files.
handy, thanks
> One possible cause would be that the filesystem type for /home doesn't > support extended attributes (e.g. NFS) and thus SELinux couldn't label > /home/[name]/www with the expected type.
/home is not NFS, its ext3
Thanks for taking the time to respond to my initial post. Kris
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
