in my web folder "/var/www/html/private" I have a sym link to a fat32 partition. with httpd SELinux enabled, I do not see the link when I try to access it through my web browser. But with turning off SELinux for httpd daemon

I was able to see/reach the sym link....how can I have both working at the same time??!!!

FAT32 is owned by root and I do not think it is possible to change the permission...correct me if i'm wrong....

thnx in advance...

First, fix the permissions on how the FAT32 partition is mounted using the umask option in the mount command. Give "group" and "other" read permissions on the mounted disk. Alternatively you can set the UID. See the "mount" manpage for the syntax.

If that still doesn't help try directly specifying the SELinux context for the file system when you mount the FAT partition using:
mount -t vfat -o context=system_u:object_r:httpd_sys_content_t ...blah...blah

You might also need to change the context on the link itself. For that you can use the chcon command (chcon -t httpd_sys_content_t /path/to/link).

this is how it looks like

can you give me the exact command??

by doing this

now I see the symbolic link...but when i click on it...i reach a blank page...so i tried the same command on the fat32 partition but did not help!!! so shall i mount it using the command you mentioned earlier??!!!

thnx

Linux handles FAT filesystems in such a way that they don't have the same type of extended attributes as other types of filesystems that have selinux support (like ext2). So it's not suprising that the chcon command didn't work. Out of curiousity, did you try to use the chcon command on the entire mounted partition or just on the file that the symlink pointed to? If you tried doing the *entire* partition, using the -R (recursive) option may have helped (chcon -R -t httpd_sys_content_t /path/to/vfat/target_dir).

If neither of those worked, you may need to use the mount command with the -o option:
Make sure that it has been unmounted before trying to remount.

Syntax for mounting with non-root read permissions would be:
Which should give rw-r--r-- permissions to the mounted filesystem

Thank you very much....

this code
sorted my problem....and it seems we do not need to use this code on the symbolic link
but now how can i include it in "/etc/fstab"...ths old format was
so the new one will be??!!

ThnX

EDIT

It seems the symbolic link to the partition we just mounted is not writable!!! How can we make it writable??

Just combine the 2 mount commands into a single command (basically just include the umask option along with the context= option). You'll need to change the umask setting depending on what type of write permissions you want to give. Note that you need to be really carefull when giving write permissions to the Apache daemon. If it's ever compromised, the attacker will be able to upload to that part of the filesystem. So you need to ask yourself whether Apache *really* needs to write there and make sure that sensitive files like password or config files as well as other binaries don't live there. You may also want to change the ownership of those files if you plan on giving write-permissions to non-root users (to do so, use the "uid=apache" option in the mount command).

I haven't tried setting the selinux context in fstab, but you should be able to. The fstab entry would look something like:
Change umask value to include whatever write permissions you need (remember umask value will be: 777-(actual permissions you want). You can also include the "uid=" option as well if you want to change the ownership. Post back with your final fstab entry just to make sure that it's secure.

Thanx....

My entry now looks like this and it works....
I picked umask=000 since I want to be able to access the partition using my web browser and download the stuff to my PC....and I have a java script that continously writes to the partition (i.e. fat32). The owner of that script is not "root".

Is there a more secure way to do that??? Or is it possible to limit access to that particular partition to certain IPs??!! I'm thinking of doing that using the .htaccess file...altho this will not prevent a hacker to access that partition if my system got compromised...


Can I have your advice regarding this issue??
http://www.linuxquestions.org/questi...94#post2126994

I would definitely not put 777 permissions (umask 000) on anything accessible to the Apache daemon. A better solution might be to take the user that the Java script runs under and make it part of a group. Then give that group write permissions.