Re: Big brother and httpd

Tom Diehl <tdiehl@xxxxxxxxxxxx> · Sun, 26 Jun 2005 08:35:57 -0400 (EDT)

On Sun, 26 Jun 2005, James Z. Li wrote:
> 
> On 6/25/05, Tom Diehl <tdiehl@xxxxxxxxxxxx> wrote:
> > Hi,
> > 
> > I am trying to get Big Brother working on EL4. I have the following in
> > the httpd.conf
> > 
> > Alias /bb /home/bb/bb/www
> > 
> > With SELinux enabled I get the following in the logs when I try to access
> > the BB web page
> > :
> > Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc:  denied  { search } for  pid=20700 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir
> > Jun 25 18:44:24 pocono kernel: audit(1119739464.262:0): avc:  denied  { getattr } for  pid=20700 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir
> > Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc:  denied  { search } for  pid=23158 comm=httpd name=bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir
> > Jun 25 18:44:27 pocono kernel: audit(1119739467.679:0): avc:  denied  { getattr } for  pid=23158 comm=httpd path=/home/bb/bb dev=dm-1 ino=6406600 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir
> > 
> > If I disable SELinux for apache, I can access the BB web pages just fine.
> > 
> > I relabeled /home/bb/bb/www but I still get the errors.
> > 
> > (pocono pts31) # ll -Z ~bb/bb/www
> > -rwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t bb-ack.sh
> > -rwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t bb-hist.sh
> > -rwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t bb-histlog.sh
> > -rwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t bb-hostsvc.sh
> > -rwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t bb-rep.sh
> > -rwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t bb-replog.sh
> > -rw-rw-r--  bb       bb       user_u:object_r:user_home_t      bb.html
> > -rw-rw-r--  bb       bb       user_u:object_r:user_home_t      bb2.html
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t gifs
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t help
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t html
> > -rw-r--r--  bb       bb       root:object_r:httpd_sys_content_t index.html
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t newbldg
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t notes
> > drwxrwxr-x  bb       apache   root:object_r:httpd_sys_content_t rep
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t reynolds
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t rogueind
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t routers
> > drwxr-xr-x  bb       bb       root:object_r:httpd_sys_content_t xo
> > (pocono pts31) #
> > 
> > I tried relabeling bb.html and bb2.html but they keep reverting to
> > user_u:object_r:user_home_t. I suspect this is my problem but I am new
> > to SELinux so I am not sure.
> > 
> > Can someone suggest how to fix this??

> How did u relabel bb.html and bb2.html?
> Did you change the apache.fc file to label the files and dirs 
> under /home/bb/bb/www, followed by "make load" and 
> then "setfiles" / "restorecon"?

No, I did the following:
"chcon -R -h -t httpd_sys_content_t www"
I also tried "chcon -t httpd_sys_content_t bb.html"

I do not seem to have an apache.fc file.

Regards,

Tom Diehl		tdiehl@xxxxxxxxxxxx		Spamtrap address mtd123@xxxxxxxxxxxx

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list