On Wed, 2010-11-03 at 01:59 -0400, Robert Moskowitz wrote: > # cat /etc/sysconfig/selinux > > # This file controls the state of SELinux on the system. > # SELINUX= can take one of these three values: > # enforcing - SELinux security policy is enforced. > # permissive - SELinux prints warnings instead of enforcing. > # disabled - No SELinux policy is loaded. > SELINUX=disabled This (immediately above line) says that your SELinux is disabled, so SELinux shouldn't be the cause of your problems. That being said, it's usually a good idea to use SELinux when you have a publicly exposed webserver. Even one that's not advertised, as hackers find them by scanning ranges of IP addresses. To serve out anything via HTTP, the directory permissions from root right through to the directory in question, including all the ones in between, should be rwx r-x r-x (owner read, write, and execute; group permissions usually don't matter; other uses can read and execute). The file permissions need to be almost the same, the file in question should be rwx r-x r-x (owner read, write and execute; group permissions usually don't matter; other users can read the files). Apache treats the executable bit on files specially - it allows them to be parsed for server-side-includes. The "other" users, also known as "world," permissions are used for serving out to the world. (I spaced apart owner, group, and world permissions in the above examples, for ease of reading.) Servable files should not be owned by root or the apache user, they should be owned by the author. The same goes for directories *inside* the webserver's root path. This allows changes, and disallows tampering by remote uses over the web. e.g. drwxr-xr-x root root /var/www/html/ drwxr-xr-x tim tim /var/www/html/mywebsite/ drw-r--r-- tim tim /var/www/html/mywebsite/homepage.html drw-r--r-- tim tim /var/www/html/mywebsite/picture.png If you are asking the server to follow symlinks, then you need to set the Apache configuration option to allow that. I can't remember what the default was. If you installed the manual, see: http://localhost/manual/mod/core.html#options Also, if you serve files from outside the usual filepaths, you might want to check the <Directory> options in the Apache configuration. If you installed the manual, see: http://localhost/manual/mod/core.html#directory If you have SELinux enabled, then you need to set proper contexts for the files and directories. This will be done automatically, when you create them in the standard file paths. i.e. inside "/var/www/html" and inside "~/public_html/" But not if you move files into those paths, or serve files in other locations. Then, you'll need to manually set the contexts, and reset them if you ever scan the whole drive resetting contexts to defaults (unless you make up custom rules to match your custom locations). See http://fedoraproject.org/wiki/SELinux/apache for example contexts. But I have this for webserving directories, and the files inside them: system_u:object_r:httpd_sys_script_exec_t:s0 /var/www/cgi-bin/ unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/ system_u:object_r:httpd_user_content_t:s0 ~/public_html/ -- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
