Simon Andrews wrote:
I'm trying to set up an alias within httpd to a set of directories outside the normal document root. I can set this up OK, but when I try to access it I get selinux errors and a 403 forbidden response.
Jun 2 15:59:42 server1 kernel: audit(1117724382.438:0): avc: denied { search } for pid=4757 exe=/usr/sbin/httpd name=/ dev=sda9 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Jun 2 15:59:42 server1 kernel: audit(1117724382.438:0): avc: denied { getattr } for pid=4757 exe=/usr/sbin/httpd path=/data dev=sda9 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
The directories I want to access are under /data/private/ and I tried to permit this by using:
chcon -R -t httpd_sys_content_t dirname/
on static directories, and
chcon -R -t httpd_sys_script_exec_t dirname/
on cgi directories
..but I still get errors at the levels below that (/ and /data/). I don't really want all of these accessible, and I don't really want to turn off selinux altogether.
I'd therefore like either:
1) To find a way to not have httpd try to read / and /data (why is it doing this anyway? It doesn't seem to need this to get to /var/www)
2) A suitable change to the selinux policy to allow httpd to traverse the lower level directories
3) I'd settle for a way to disable selinux altogether for the /data partition (though I can't help feeling this is a bit of a cop out!)
Cheers
Simon.
file_t indicates that the file system has not been labeled. Do a restorecon -R -v /data
You might need to label /data as var_t.
--
