Re: soft link for web vhost

Tue, 03 Apr 2012 09:27:43 -0700 

On 04/04/2012 01:05 AM, Mike Chan wrote:

> *From:* Tam Nguyen:


Mike,
the link provided some clues, but you got to put them together. For
example, in your vhost configuration, you need to have this parameter,
which mentioned in the discussion:

    Options FollowSymLinks


but that alone is not enough. If the original file is on your local
server, then you need to validate its SELinux security context type to
match your vhost's SELinux security context type.
This is what you need:
httpd_sys_content_t

>
> Hi Tam,
> I m sorry the discussion in the link did not mention SELinux. How do I
> find this SELinux type? I am not familiar with SELinux.

Mike,


This depends on where your document root is for your vhost. If your html 
files are in /var/www/html someplace then you should be OK with the 
normal SELinux settings. If your html files are in 
/home/yourname/public-html or some place like that you will need to 
change the SELinux context for the directory tree that the html files 
are in *and* you will need to set some SELinux booleans that give Apache 
permission to see outside of /var/www.


A quick rundown on SELinux permissions:

	An "SELinux context" is just like another type of file permission, but 
it is more detailed. Normal Unix file permissions look like this (using 
the command "ls -l"):


[ceverett@taco www]$ ls -l
drwxr-xr-x. 4 root root  4096 Mar 19 15:37 stat
drwxr-xr-x. 2 root root  4096 Apr  3 00:07 wsgi-sc


The "drwxr-xr-x" part is the normal permissions like you're probably 
used to seeing already, along with the owner of the directories in my 
/var/www directory.



SELinux contexts are additional permissions that act sort of like 
permission zones. You can see them by using the "ls -Z" command:


[ceverett@taco www]$ ls -Z
drwxr-xr-x. root root  system_u:object_r:httpd_sys_content_t:s0 stat
drwxr-xr-x. root root  system_u:object_r:httpd_sys_content_t:s0 wsgi-sc


Now look at the difference between these permissions and a directory in 
my home folder:


[ceverett@taco ~]$ ls -Z
drwxrwxr-x. ceverett ceverett unconfined_u:object_r:home_bin_t:s0 bin
drwxrwxr-x. ceverett ceverett unconfined_u:object_r:user_home_t:s0 Code


You see that there are a few different context types listed. This the 
kind of thing that must change for Apache to see into a place other than 
/var/www.



To set Unix permissions you use the command "chmod", but to change 
SELinux permissions you use the command "chcon".



I suggest reading "man chcon" a little to understand what is going on 
before you just start goin crazy chconning everything.


-z






















					Reply via email to