Thank you very much for your very helpful reply, Colin. On Wed, Jan 19, 2005 at 09:48:30PM -0500, Colin Walters wrote: > On Thu, 2005-01-20 at 11:23 +1100, Nick Urbanik wrote: > > Dear Folks, > > > > I'm totally new to SELinux, and am quite confused on a number of > > points. > > > > I took the plunge and enabled SELinux on this FC3 box. > > Problem is with Apache. > > Have you read the Fedora Apache guide? Thank you, yes, it is very helpful. > http://fedora.redhat.com/docs/selinux-apache-fc3/ > > It's slightly out of date but still informative, I think. Thanks. I have finally got everything to work, and now will make it work more securely. > > I have symlinks pointing to my home > > directory, > > This will cause a number of problems. Many programs are given the > permissions 'getattr' and 'search' on user_home_dir_t:dir, so they can > access the toplevel home directory but not necessarily anything > contained in it. The ":dir" part here is important, as it means the > permissions are restricted to directories with that type; symlinks are > not allowed. > > I wonder why you're symlinking into /opt, I have a 512 gigabyte 3ware raid partition, and am using it for many different purposes, and had used symlinks to access it. I'm changing it to mount as you sensibly suggest. > but assuming for now that's what you have to do, one solution might > be to use bind mounts instead of symlinks: > > rm /home/nicku > mkdir /home/nicku > mount -obind /opt/nicku /home/nicku > > You can add the bind mount to /etc/fstab so it's done automatically. That's a wonderful idea! The mount man page indicates that I can use mount --move /opt/nicku /home/nicku to achieve exactly what I wanted originally. Does that work well? > Yeah; use misc/local.te instead, or the like. te files in program > require a corresponding .fc file to be enabled. Yes, I finally realised that's where it should go. -- Nick Urbanik RHCE http://nicku.org nicku(at)nicku.org Proud ex-member of Dept. of Information & Communications Technology in Hong Kong IVE (Tsing Yi), Home of Visual Paradigm: Jolt Productivity Award winner, programmed by ICT's own graduates! GPG: 7FFA CDC7 5A77 0558 DC7A 790A 16DF EC5B BB9D 2C24 ID: BB9D2C24
Attachment:
pgpqGBuzC0qGi.pgp
Description: PGP signature
