Stephen Smalley wrote:
On Fri, 2004-09-17 at 08:17, Cream[DONut] wrote:I also have it working fine. With the 1-17-17 policy, targeted and strict.
when starting httpd, it just fails, there are no AVC messages in /var/log, but for testing purpose I set DocumentRoot to the / root of the server, which worked, then i tried going to /home, which didnt work, I couldnt open /home/xxxxxx or /home/xxxxxx/www.
BTW, when you see no AVC messages but think that SELinux is the culprit, do a 'make enableaudit load' in the policy source directory and try again, and then do a 'make clean load' to revert. That is noted in the Fedora SELinux FAQ. Certain audit messages are explicitly suppressed by default using dontaudit rules in the policy to avoid filling the logs with noise, and the 'enableaudit' removes those rules to ensure that you see every denial.
DocumentRoot is /var/www/html
Attached the difference in httpd.conf to get it to work.
ls -laZ ~dwalsh/www/
drwx--x--x dwalsh dwalsh system_u:object_r:httpd_user_content_t .
drwxr-xr-x dwalsh dwalsh system_u:object_r:user_home_dir_t ..
-rw-r--r-- dwalsh dwalsh system_u:object_r:httpd_user_content_t hunts.html
--- httpd.conf~ 2004-09-08 06:20:13.000000000 -0400 +++ httpd.conf 2004-09-17 09:27:27.000000000 -0400 @@ -336,14 +336,14 @@ # of a username on the system (depending on home directory # permissions). # - UserDir disable + #UserDir disable # # To enable requests to /~user/ to serve the user's public_html # directory, remove the "UserDir disable" line above, and uncomment # the following line instead: # - #UserDir public_html + UserDir www </IfModule> @@ -351,18 +351,18 @@ # Control access to UserDir directories. The following is an example # for a site where these directories are restricted to read-only. # -#<Directory /home/*/public_html> -# AllowOverride FileInfo AuthConfig Limit -# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec -# <Limit GET POST OPTIONS> -# Order allow,deny -# Allow from all -# </Limit> -# <LimitExcept GET POST OPTIONS> -# Order deny,allow -# Deny from all -# </LimitExcept> -#</Directory> +<Directory /home/*/www> + AllowOverride FileInfo AuthConfig Limit + Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec + <Limit GET POST OPTIONS> + Order allow,deny + Allow from all + </Limit> + <LimitExcept GET POST OPTIONS> + Order deny,allow + Deny from all + </LimitExcept> +</Directory> # # DirectoryIndex: sets the file that Apache will serve if a directory