LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Change is good when it brings worthy improvements, like security

Change is good when it brings worthy improvements, like security

Posted Jul 15, 2008 22:09 UTC (Tue) by dpquigl (subscriber, #52852)
In reply to: Change is good when it brings worthy improvements, like security by mrshiny
Parent article: SELinux and Fedora 

/usr/sbin/semanage fcontext -a -t httpd_sys_content_t '/home/httpd(/.*)?'
restorecon -R -v /home/httpd

That should fix your problem.

The first line tells the policy that all files under /home/httpd and the directory itself
should be labeled with httpd_sys_content_t. This will allow httpd access to it. The second
then relabels all of the files under that point so they are correct. Something to take note
of. If there is more explicit labeling rule on a file for instance /home/httpd/foo the above
line won't override it. So if you have a cgi directory under that point you can do something
along the lines of 

/usr/sbin/semanage fcontext -a -t httpd_sys_script_exec_t '/home/httpd/cgi/*'  it will label
everything under that with httpd_sys_script_exec_t and everything else will match the first
rule above. I might be wrong with the syntax on the regex but you get the idea. The more
explicit the path the more authoritative it is.

If you have any more problems feel free to email the fedora-selinux list and I'm sure you will
get a quick answer to your question and a solution to whatever problem you are having.

(Log in to post comments)

Change is good when it brings worthy improvements, like security

Posted Jul 15, 2008 22:15 UTC (Tue) by dpquigl (subscriber, #52852) [Link] 

I also found on Dan Walsh's blog that there is a GUI for doing this as well.

"You can see similar functionality in system-config-selinux by selecting the 'File Labeling'
list item and then clicking on the 'Customized' button."

Change is good when it brings worthy improvements, like security

Posted Jul 17, 2008 3:45 UTC (Thu) by mrshiny (subscriber, #4266) [Link] 

Thanks for the tip.  I had already gone down this road with the gui tool and found that
something didn't work properly and my attempts at manually setting this stuff failed.  I
eventually gave up and moved my doc root or just manually changed the context... I forget.  I
think I manually changed the context and I expect it to fail if the whole system gets
re-labelled.

It would be much easier for a sysadmin to be able to specify the document root in the apache
config file and have an selinux-aware tool say "gee, looks like you'll need to add these
se-linux rules... proceed? Y/N".  But at least much progress has been made with these tools
compared to Fedora 2.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds