LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-02-2010, 05:34 AM   #1
dhelyar
LQ Newbie
 
Registered: Nov 2009
Posts: 5

Rep: Reputation: 0
Allow apache to access user_home_t only inside /var/www/


Hello!

I suspect I'm going to be told to go away and read a book on the topic, but I thought I'd ask anyway It seems the topic of SELinux is a bottomless pit of despair!

Anyway, I have users that access a development server via SFTP and SSH and upload files that manage maintain their type context of user_home_t. Apache cannot read these files, and so somebody with sudo needs to teach those files a lesson.

I'm aware I can set SELinux to permissive, but I (and my company) are quite preferable to the the "deny all, allow only" approach to security, which I'd like to maintain.

Essentially I'd like to allow Apache to access the user_home_t only within /var/www/ although I'm not seeing any evidence on my travels that policies like this can be limited to specific directories.

Does anybody have any killer advice for my situation?

Thanks in advance
 
Old 12-02-2010, 10:35 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,947
Blog Entries: 54

Rep: Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732Reputation: 2732
Quote:
Originally Posted by dhelyar View Post
I suspect I'm going to be told to go away and read a book on the topic
No you're not.


Quote:
Originally Posted by dhelyar View Post
It seems the topic of SELinux is a bottomless pit of despair!
No it ain't.


Quote:
Originally Posted by dhelyar View Post
I'd like to allow Apache to access the user_home_t only within /var/www/
You don't want that.


Quote:
Originally Posted by dhelyar View Post
Does anybody have any killer advice for my situation?
As root run '/sbin/restorecon -R /var/www/'. If you want to first log any changes (troubleshooting?) then run the same before but with the "-nivv" switches and log output to file or syslog. Integrate it in any way you like: on user logout, something inotify-based, auditd + a log watcher, custom cronjob, you name it.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ftp access to /var/www/html bmccarty12 Linux - General 2 10-16-2009 12:21 PM
Apache var/www bmeserver Linux - Newbie 3 08-14-2009 09:56 PM
FTP access to /var/www/html/web_folder jonaskellens Linux - Server 2 07-11-2009 08:23 AM
FTP client can't access files in /var/www/html (Apache ) dshap Linux - Newbie 8 06-03-2009 12:12 PM
proftp access to /var/www/htdocs with rw datadriven Slackware 0 06-27-2003 11:11 AM


All times are GMT -5. The time now is 11:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration