httpd access with selinux enforce mode, restriction issues.
 

hi all,

I am running(test machine) rhel5 with httpd and selinux enabled. I have little idea that httpd require context httpd_sys_content_t on data which need to be served through it.
Now i created one directory /data with some contents with following context:

#ls -ldZ /data
drwxr-xr-x root root root:object_r:root_t /data

#ls -lZ /data
-rw-r--r-- root root root:object_r:etc_runtime_t hi
drwxr-xr-x root root root:object_r:root_t test

i just added one Alias for /data in httpd.conf and <Directory> entry, now i can access contents of data.
*******************************
Now, Doesn't selinux must prevent httpd to access /data due to its different context, pls anybody explain whats happening?

thanks,
rajnish

I could not reproduce your findings. What does running 'sestatus' return? And 'getsebool httpd_disable_trans'? Are there *any* AVC messages wrt http? Anything else we should know about? What happens if you create a file within /var/www/html/ (which should be httpd_sys_content_t) and deliberately chcon it to something ludicrously wrong like device_t? Is it still accessable?

thanks unSpawn,

output from sestatus and getsebool:

[root@test2 ~]# getsebool httpd_disable_trans
httpd_disable_trans --> off

[root@test2 ~]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted

As you asked, i placed one file in document root and changed its context to device_t on accessing setroubleshoot popped up with AVC messages. On seaching /var/log/audit/audit.log nothing for /data.

thanks for effort and precious time of yours.

rajnish

Soz for the late response (busy) and thanks for the nfo. Unfortunately this doesn't show anything odd, so I'd like more info. Do you have a local policy in effect ('semodule -l' should show modules)? Could you post your httpd.conf w/o the comment lines?