httpd access with selinux enforce mode, restriction issues.
hi all,
I am running(test machine) rhel5 with httpd and selinux enabled. I have little idea that httpd require context httpd_sys_content_t on data which need to be served through it. Now i created one directory /data with some contents with following context: #ls -ldZ /data drwxr-xr-x root root root:object_r:root_t /data #ls -lZ /data -rw-r--r-- root root root:object_r:etc_runtime_t hi drwxr-xr-x root root root:object_r:root_t test i just added one Alias for /data in httpd.conf and <Directory> entry, now i can access contents of data. ******************************* Now, Doesn't selinux must prevent httpd to access /data due to its different context, pls anybody explain whats happening? thanks, rajnish |
I could not reproduce your findings. What does running 'sestatus' return? And 'getsebool httpd_disable_trans'? Are there *any* AVC messages wrt http? Anything else we should know about? What happens if you create a file within /var/www/html/ (which should be httpd_sys_content_t) and deliberately chcon it to something ludicrously wrong like device_t? Is it still accessable?
|
thanks unSpawn,
output from sestatus and getsebool: [root@test2 ~]# getsebool httpd_disable_trans httpd_disable_trans --> off [root@test2 ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 21 Policy from config file: targeted As you asked, i placed one file in document root and changed its context to device_t on accessing setroubleshoot popped up with AVC messages. On seaching /var/log/audit/audit.log nothing for /data. thanks for effort and precious time of yours. rajnish |
Soz for the late response (busy) and thanks for the nfo. Unfortunately this doesn't show anything odd, so I'd like more info. Do you have a local policy in effect ('semodule -l' should show modules)? Could you post your httpd.conf w/o the comment lines?
|
All times are GMT -5. The time now is 06:27 PM. |