On Wed, 30 May 2007, Jan Iven wrote:
On 05/30/2007 02:10 PM, Michael H. Semcheski wrote:
nota bene: I had to turn off selinux' monitoring httpd to get user
directories (ie, www.this.edu/~mike). <http://www.this.edu/~mike).>..
if you can label the user directories to be served (i.e. ext3 or
NFS-with-ACLs), you might want to just use
setsebool -P httpd_enable_homedirs 1
chcon -R -t httpd_sys_content_t ~user/public_html
(straight from "man httpd_selinux", albeit on SL4. Should also work on 5)
And if you can't label them, turning on use_nfs_home_dirs as well works if
the whole filesystem is nfs_t - which is also true for AFS (serving files from
AFS still requires a minor policy extension to work well though).
Still much better than running httpd without SELinux control.
- Stephan
Given that install-and-forget web scripts (CGI/PHP/..) seem to be a popular
infection vector nowadays..
--
Stephan Wiesand
DESY - DV -
Platanenallee 6
15738 Zeuthen, Germany
