Re: Allowing a apache to access a user folder by using semanage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Jan


I'm trying to allow apache to read a user folder as follows:

% semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"


semanage doesn't update the labels of existing files. So you'll
need to run "restorecon -R /home/zopeuser/data" before this
will work.

I did what you suggested; however lots of messages like this appeared:

restorecon set context
/home/zopeuser/data/certs/demoCA/certs->system_u:object_r:httpd_t:s0
failed:'Permission denied'

Then I tried:
fixfiles restore

But again I got lots of errors like this:

/sbin/setfiles:  unable to relabel /home/zopeuser/data/certs/demoCA to
system_u:object_r:httpd_t:s0
/home/zopeuser/data/certs/demoCA/crl: Permission denied

Even this doesn't works:
% touch /.autorelabel
% reboot

But this is I got in the message log after rebooting:
May 9 22:16:39 my_host kernel: audit(1178741787.823:58): avc: denied { relabelto } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir May 9 22:16:39 my_host kernel: audit(1178741787.823:59): avc: denied { associate } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:object_r:httpd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem May 9 22:16:39 my_host kernel: audit(1178741787.834:60): avc: denied { read } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir May 9 22:16:39 my_host kernel: audit(1178741787.834:61): avc: denied { search } for pid=1368 comm="setfiles" name="data" dev=hda4 ino=2121605 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:httpd_t:s0 tclass=dir 

Till here I don't know what to do. Unfortunately must documentation
I found talk about using the "Security Level and Firewall" menu entry
from Gnome, but I don't have X nor I want to install it.

Thanks for the reply anyway.

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux