Re: httpd with symbolic links and selinux enabled
On 12/01/2009 11:47 PM, Tim wrote: On Tue, 2009-12-01 at 12:04 -0500, Daniel J Walsh wrote: You need to fix the context to match that in public_html chcon -R -t httpd_user_content_t foo Would do it. If that's the problem (just SELinux preventing serving), you'd also have to keep re-changing the contexts, every time there was a SELinux relabel, and every time you created new files in that location. Or, set a policy rule so that files, automatically get suitable contexts for those file locations. Yes that is true. I have also added a boolean to allow apache to read all files in the homedir, httpd_read_user_content setsebool -P httpd_read_user_content 1 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: httpd with symbolic links and selinux enabled
On 11/26/2009 03:54 AM, Justin Jereza wrote: Have you configured Apache to follow symlinks? http://localhost/manual/mod/core.html#options Yes, Apache follows symlinks. That's why http://localhost/~user/foo/ is accessible. You also need appropriate file and directory permissions (world readable files and directories, and directories need to be world executable, too). All necessary permissions are set. Only directories inside ~/foo that contain symlinks are inaccessible. Remove the symlinks, and they become accessible. Also, http://localhost/~user/foo/bar/baz.html is accessible even though http://localhost/~user/foo/bar/ isn't. Finally, symlinks within ~/public_html itself work fine. So it seems that symlinks within symlinks are the only ones that give me trouble. Should have attached the following log messages earlier: Nov 26 16:49:26 adnix kernel: type=1400 audit(1259225366.816:11484): avc: denied { read } for pid=21208 comm=httpd name=index.html dev=dm-2 ino=5144788 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file Nov 26 16:49:26 adnix kernel: type=1400 audit(1259225366.816:11485): avc: denied { getattr } for pid=21208 comm=httpd path=/home/justin/foo/bar/index.html dev=dm-2 ino=5144788 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file You need to fix the context to match that in public_html chcon -R -t httpd_user_content_t foo Would do it. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: httpd with symbolic links and selinux enabled
On Tue, 2009-12-01 at 12:04 -0500, Daniel J Walsh wrote: You need to fix the context to match that in public_html chcon -R -t httpd_user_content_t foo Would do it. If that's the problem (just SELinux preventing serving), you'd also have to keep re-changing the contexts, every time there was a SELinux relabel, and every time you created new files in that location. Or, set a policy rule so that files, automatically get suitable contexts for those file locations. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: httpd with symbolic links and selinux enabled
On Thu, 2009-11-26 at 15:16 +0800, Justin Jereza wrote: I'm having trouble accessing symbolic links in userdirs through httpd with selinux enabled on Fedora 12. Have you configured Apache to follow symlinks? http://localhost/manual/mod/core.html#options You also need appropriate file and directory permissions (world readable files and directories, and directories need to be world executable, too). -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: httpd with symbolic links and selinux enabled
Have you configured Apache to follow symlinks? http://localhost/manual/mod/core.html#options Yes, Apache follows symlinks. That's why http://localhost/~user/foo/ is accessible. You also need appropriate file and directory permissions (world readable files and directories, and directories need to be world executable, too). All necessary permissions are set. Only directories inside ~/foo that contain symlinks are inaccessible. Remove the symlinks, and they become accessible. Also, http://localhost/~user/foo/bar/baz.html is accessible even though http://localhost/~user/foo/bar/ isn't. Finally, symlinks within ~/public_html itself work fine. So it seems that symlinks within symlinks are the only ones that give me trouble. Should have attached the following log messages earlier: Nov 26 16:49:26 adnix kernel: type=1400 audit(1259225366.816:11484): avc: denied { read } for pid=21208 comm=httpd name=index.html dev=dm-2 ino=5144788 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file Nov 26 16:49:26 adnix kernel: type=1400 audit(1259225366.816:11485): avc: denied { getattr } for pid=21208 comm=httpd path=/home/justin/foo/bar/index.html dev=dm-2 ino=5144788 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=lnk_file -- Justin Jereza LPIC-1 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
httpd with symbolic links and selinux enabled
Hello. I'm having trouble accessing symbolic links in userdirs through httpd with selinux enabled on Fedora 12. The following duplicates my situation: * Enable userdirs in /etc/httpd/conf/httpd.conf # setsebool -P httpd_enable_homedirs on # setsebool -P httpd_read_user_content on ~$ mkdir -p public_html foo/bar ~$ cd public_html ~/public_html$ ln -s ../foo ~/public_html$ cd ../foo/bar ~/foo/bar$ echo h1Test/h1 baz.html ~/foo/bar$ ln -s baz.html index.html http://localhost/~user/foo/ is accessible, http://localhost/~user/foo/bar/ is not. How can I make this work? Thanks. -- Justin Jereza LPIC-1 -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines