Re: Problem with apache accessing files outside of /var/www/html directory

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

David Bartmess wrote:
> I’m trying to get apache to serve up via a CGI script the formatted 
> contents of a directory outside of the DocumentRoot directory structure, 
> and SELinux is giving me a “Permissions Denied” error.

> How can I modify the SELinux context on the files being shown to fix this?

I'm also a newbie at this, but what I did to fix something similar was
bring up system-config-selinux and looked at the configuration of files
in the "correct" area, then I replicated that configuration on the place
where I put my /var/www directory.  (Because /var/www can grow so much
larger than the rest of my /var, I put it outside of /var with a
symlink.)

The tool added my changes to the file

  /etc/selinux/targeted/contexts/files/file_contexts.local

Thus, to fix your problem, do something like:

  grep cgi /etc/selinux/targeted/contexts/files/file_contexts

This will show you all rules pertaining to directories that contain
"cgi" in them and/or rules that contain "cgi" in them.  From that
shorter list of rules, you should be able to figure out how to craft a
rule for the location where you put CGI files.  You can manually add
those to the file_contexts.local file (but I don't know if you then need
to do something special to activate those changes) or you can use
system-config-selinux, which is what I did.

Then to make the changes in labeling occur, I:

restorecon -r -v /path/to/directory/where/you/put/cgi

where you put your cgi.  And remember that you need permissions the
whole directory tree down, so if you put your cgi files
in /opt/special/active/cgi then you need labeling on /opt and
on /opt/special (and so on, all the way down) so that the programs in
question can navigate all the way down from "/" to your cgi files.  To
figure out what is required, you can look at what labeling is done in
the directories /var and /var/www (in file_contexts) and experiment a
little.

I was able to figure out how to put /var/www successfully in a different
location by doing this, but I don't really have any cgi scripts, so you
have a slightly different situation.

Good luck.

       Eddie

-- 
Edward Kuns <ekuns@xxxxxxxxxxxxxxxx>

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux