Re: Making SELinux allow access to certain directories [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marko Vojinovic wrote:
> On Monday 15 October 2007 19:24, Daniel J Walsh wrote:
>> Marko Vojinovic wrote:
>>> I am a newbie to SELinux, so would prefer not to create local policies
>>> etc. What should I do in order to allow access for a typical service to
>>> typical directory?
>> You need to change the labeling on /www
>>
>> Probably something like
>>
>> # semanage fcontext -a -t httpd_sys_content_t '/www(/.*)?'
>> # restorecon -R -v /www
>>
>> In order to allow httpd to read content in home directories
>> you need to turn on httpd_enable_homedirs
>>
>> setsebool -P httpd_enable_homedirs 1
> 
> Thanks! This works great! :-)
> 
> I was amazed to see the wealth of switches listed by getsebool -a once I found 
> out about it. Also when I discovered that your answer was actually in 
> examples section of man semanage :-) ...
> 
> I am going to like SELinux once I get familiar with the ways to configure it.
> 
> Btw, what is the actual difference between targeted and strict policies? Why 
> are there two of them? I mean, if someone uses SELinux to make the system 
> more secure, why is there a distinction between "more secure" and "half more 
> secure"?
> 
> Thanks for the help! :-)
> 
> Best regards, :-)
> Marko
> 
> Marko Vojinovic
> Institute of Physics
> University of Belgrade
> ======================
> e-mail: vmarko@xxxxxxxxxxxx
> 
The main different between strict and targeted in F6 and beyond and
RHEL5 is that strict confines userspace while targeted only confined
system space.

As of Fedora 8 strict policy no longer exists.  You can combine
unconfined users with confined user (xguest, guest).  This allows you to
have some thoroughly locked down users while running the trusted users
as full capability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHFhfBrlYvE4MpobMRAsG0AKC8qj3AoXjrxubHJasVCGS++PuKfACfU6pF
ytHzMbSaZfZScXAdVzqDE6Q=
=B1Qn
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux