Hi Stephen
Ok, then is httpd_sys_content_t the right one? I solve it as follows:
semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
chcon -R -t httpd_sys_content_t /home/zopeuser/data
It works now, but is it the correct way?
A small correction there. It should be
semanage fcontext -a -t httpd_t "/home/zopeuser/data(/.*)?"
chcon -R -t httpd_sys_content_t /home/zopeuser
If you don't give access to the user's root directory, then apache will
still fail.
The semanage command should also use httpd_sys_content_t, and you should
run restorecon -R /home/zopeuser/data after the semanage command rather
than using chcon. semanage adds the entry to the system's
file_contexts.local mapping, and restorecon then consults the system's
file contexts files to determine the right context to apply.
Yes, you are right. That's what Jan-Frode Myklebust point me on a
previous post and that's what I finally did. It is working now.
Do you really want to allow apache to fully access the user's home
directory?
No, I don't. Finally I gave apache access to the /home/zopeuser folder
and full access to the /home/zopeuser/data as follows:
#Apache will be able to access the folder but not the files inside it
semanage fcontext -a -f -d -t httpd_sys_content_t "/home/zopeuser"
#Apache will be able to access all this folder, its files and subfolders
semanage fcontext -a -t httpd_sys_content_t "/home/zopeuser/data(/.*)?"
#apply changes
restorecon -R /home/zopeuser
> If you just want to allow search access so that it can
traverse the user home directory to reach the data subdirectory, there
should be a boolean (httpd_enable_homedirs) that you can enable.
I'm aware of that boolean and it seems to be the simplest solution;
however, I have other user folders, which I don't want apache accesses,
so, I opted to the semanage alternative.
Thanks and have a nice day
Josef
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
