Re: htpasswd file outside of standard Apache location

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Wed, 2011-06-29 at 18:57 +0200, Paul Menzel wrote:
> Dear SELinux folks,
> 
> 
> I am running Debian Squeeze with SEL
> inux and Apache.
> 
> In Apache I configured a secured section using `AuthType Basic` with
> `AuthUserFile /srv/site.htpasswd`. It works when the state of the system
> is permissive. When in enforcing state the following error is logged.
> 
>         type=AVC msg=audit(1308090063.174:17742): avc:  denied  { getattr } for  pid=1412 comm="apache2" path="/srv/www/www.example.net/foo/bar.tar.gz" dev=xvda ino=425775 scontext=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>         type=SYSCALL msg=audit(1308090063.174:17742): arch=c000003e syscall=6 success=no exit=-13 a0=7f9da985eb38 a1=7fff8da1e6f0 a2=7fff8da1e6f0 a3=1 items=0 ppid=29237 pid=1412 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="apache2" exe="/usr/lib/apache2/mpm-prefork/apache2" subj=unconfined_u:system_r:httpd_t:s0-s0:c0.c1023 key=(null)
> 
> Is there a recommended location for these password files or a
> recommended way what policies to set. Not being sure of the correct
> search term for this I found plenty of sites regarding SELinux and
> Apache but nothing related to my problem in the results. If you could
> point me to some specific documentation that would be great too.
> 
> 
> Thanks,
> 
> Paul

If you are using a different location for your web server then it is
best to clone the web server locations file contexts.

In fedora the semanage command has a handy option to do this very
easily:

     # semanage fcontext -a -e /var/www /srv/www
     # restorecon -R -v /srv/www

this will clone all the file context specifications for /var/www and its
children to apply for /srv/www as well

If debian does not support this option then you would do it manually.

1. to list the file context specs for /var/www and its children:

 # semanage fcontext -l | grep /var/www

2. an example of how you would add a file context spec for /var/www:

 # semanage fcontext -a -t httpd_sys_content_t "/srv/www(/.*)?"
 # restorecon -R -v /srv/www

(This is just one example)

The issue is that objects are labelled with contexts which include types
which are used for type enforcement. Each type has a set of properties
that matches the characteristics of the object in relation to the
subjects that needs to interact with it.

So it is important that each object gets the proper context.

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux