Re: Web server permission in FC9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



NB:  This is NOT a top-posting list.
http://fedoraproject.org/wiki/Communicate/MailingListGuidelines#head-21931671219f9e2ecd6ec8655a3d582326699379

On Thu, 2008-05-22 at 09:26 -0400, Charles Layno wrote:
> It is the Selinux. I turned it off to check and apacher serves up the
> web pages with no problem.
> 
> I know nothing about Selinux, so can you direct me on how to do that.
> I read some stuff on the net about it and it is all mush to me. 

Basic background information:  

SELinux allows/restricts access based on various contexts, files are
marked with the contexts that they can be used (e.g. user files, web
serveable, etc.), which allows files that should be web serveable to be
served, and disallows things that shouldn't.

With SELinux-aware software and systems, when you "create" files they're
created with appropriate contexts.  e.g. If you create a new file
in /var/www/html/ it'll be created in a serveable manner.  Likewise, if
you copy a file to that place, the copy will be given appropriate
contexts.

But if you move a file, it'll keep its originals contexts.  Which will
probably mean it's not serveable.  That sort of thing catches a lot of
people when they make new files in their homespace (which will have a
different file context), then move them to somewhere else.  Or they
simply create them somewhere else.  Relabelling *those* files solves
that problem (the restorecon command).

You can see what contexts are applied to file and directories by using
the -Z parameter with the ls command, or using a file manager which
shows you them (e.g. Nautilus can be configured to show them).

[tim@bigblack ~]$ ls -Z /var/www/
drwxr-xr-x  root      root system_u:object_r:httpd_sys_script_exec_t cgi-bin
drwxr-xr-x  root      root system_u:object_r:httpd_sys_content_t error
drwxr-xr-x  root      root system_u:object_r:httpd_sys_content_t html
drwxr-xr-x  root      root system_u:object_r:httpd_sys_content_t icons
drwxr-xr-x  root      root system_u:object_r:httpd_sys_content_t manual
drwxr-xr-x  webalizer root system_u:object_r:httpd_sys_content_t usage

That's the file side of things.  There's also policies which are applied
to the system.  There's managing tools for that (system-config-selinux),
that allow you to set options (httpd boolean settings) such as whether
Apache can read files outside of /var/www/html, like from within
the /home directories.  

Running that configuration tool and looking at the appropriate booleans
might help you solve your problem.  But since you mentioned not serving
out from the default location, earlier in the thread, you're probably
going to have to deal with setting the right contexts on your files.
That's probably easier if served from within /srv/ that some random
place on the directory tree, since /srv is meant for serving files from.

But, again, we're hamstrung for giving advice since you've given no
specific information about what you're actually doing.

FAQ about SELinux and Apache webserving:  
http://docs.fedoraproject.org/selinux-apache-fc3/
(old, but should still be applicable)

-- 
[tim@bigblack ~]$ uname -ipr
2.6.23.15-80.fc7 i686 i386

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.




-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux