On Wed, 2007-05-09 at 23:16 +0200, Josef Meile wrote: > > Ok, then is httpd_sys_content_t the right one? I solve it as follows: > > > > semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" > > chcon -R -t httpd_sys_content_t /home/zopeuser/data > > > > It works now, but is it the correct way? > > A small correction there. It should be > semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?" > chcon -R -t httpd_sys_content_t /home/zopeuser > > If you don't give access to the user's root directory, then apache will > still fail. The semanage command should also use httpd_sys_content_t, and you should run restorecon -R /home/zopeuser/data after the semanage command rather than using chcon. semanage adds the entry to the system's file_contexts.local mapping, and restorecon then consults the system's file contexts files to determine the right context to apply. Do you really want to allow apache to fully access the user's home directory? If you just want to allow search access so that it can traverse the user home directory to reach the data subdirectory, there should be a boolean (httpd_enable_homedirs) that you can enable. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
