Re: SELinux problem (was Re: Is httpd in FC3 chrooted???)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

D. D. Brierton wrote: 
On Tue, 2005-02-08 at 13:33 +0000, D. D. Brierton wrote:


Okay, it seems it's SELinux related. I'm currently reading my way
through

http://fedora.redhat.com/docs/selinux-apache-fc3/

but if anyone has some advice I'd be grateful. Thanks! 


One problem is that it seems that most of the files in my /home
partition don't have *any* SELinux security context, only newly created
files do.

Furthermore, the document above says that files in my home directory
should have type "user_home_t", whereas in fact all of the newly created
files in my home directory which do have a security context just have
type "file_t". Sigh. I'm confused. This is a bit of a baptism by fire --
all I wanted to do was get on with my work and instead I've spent the
morning learning about SELinux.

I tried to use restorecon, but it segfaults:

$ /sbin/restorecon -R -v /home/darren
/sbin/restorecon reset context /home/darren:->system_u:object_r:user_home_dir_t
Segmentation fault

I need to use either

chcon -R -t httpd_sys_content_t public_html

or

chcon -R -t httpd_user_content_t public_html

I think, so that Apache can access the DocumentRoots of my VirtualHosts
(they're all in ~/public_html/), but when I try either I get:

chcon: can't apply partial context to unlabeled file public_html/

which I take to mean that I also need to supply values for -u and -r,
but I don't what values I should be using.

I'd really appreciate some help!

This is really strange. You shouldn't be getting segfaults, and public_html should be assigned correct label when created.

Are you using targeted or strict policy? In both cases, check if you have latest RPM installed (selinux-policy-targeted or selinux-policy-strict, depending which policy you are using). I remember that after upgrading selinux-policy-targeted I had to relabel everything on the system (I was getting some strange errors on some parts of file system, so instead of hunting file by file what needs to be relabeled, I relabeled everything). Who knows, maybe you are experiencing something similar. Easiest way to do that is:

   # touch /.autorelabel
   # reboot

During boot, selinux will be temporarely disabled, all files assigned correct labels, and than selinux will be reenabled. The /.autorelabel will be automatically removed after relabeling is done. If you have only basic, minimalistic system installed, it will be relatively fast. If you installed bunch of files, or have huge /home, it may take a while to finish.

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux