Hi, I'm happy to setup /srv to be var_t for the time being. Two questions: 1) if this isn't a ideal way of solving the problem is there a better way? 2) will whatever the solution become be merged into the policies that RHAS/Fedora/Centos/etc. use? Thanks, Harry -- Harry Hoffman Integrated Portable Solutions, LLC 877.846.5927 ext 1000 http://www.ip-solutions.net/ Daniel J Walsh wrote: > Stephen Smalley wrote: >> On Sat, 2006-04-01 at 18:15 -0500, Harry Hoffman wrote: >> >>> Hi, >>> >>> apache.fc allows for webroot location to be under /srv but selinux >>> currently stops apache from searching under /srv (at least this seems to >>> be the case to me, but I'm fairly new to selinux). >>> >>> From: file_contexts/program/apache.fc >>> /srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t >>> >>> a ls -lZ of / shows: >>> drwxr-xr-x root root system_u:object_r:default_t srv >>> >>> running audit2allow -i /var/log/messages shows: >>> allow httpd_t default_t:dir search; >>> >>> adding a local.te policy with: >>> allow httpd_t default_t:dir search; >>> >>> fixes the problem and allows httpd to start without issue. >>> >> >> Better to put a different type on /srv, so that you don't have to expose >> otherwise unspecified directories to searching by httpd. >> >> > /srv should be labeled var_t. Not ideal but it would allow it to work. > > restorecon /src -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list