Previous Entry Share Next Entry
Solution to /myapache labeling problem from yesterday...
Twitter's @Plaimclock  tweeted me @rhatdan yester. 
He pointed out that  yesterdays blog on SELinux Labeling did not provide a solution to the /myapache problem.

The solution is to label /myapache and all its children with a label httpd can read. 

You can figure this out by using:

man httpd_selinux

       - Set files with the httpd_sys_content_t type, if you want to treat the
       files as httpd sys content.

            /usr/share/icecast(/.*)?,                  /usr/share/htdig(/.*)?,
            /etc/htdig(/.*)?,                         /var/www/svn/conf(/.*)?,
            /usr/share/doc/ghc/html(/.*)?,       /usr/share/mythtv/data(/.*)?,
            /var/lib/htdig(/.*)?,                         /srv/gallery2(/.*)?,
            /srv/([^/]*/)?www(/.*)?,               /usr/share/ntop/html(/.*)?,
            /usr/share/mythweb(/.*)?,                /var/lib/cacti/rra(/.*)?,
            /usr/share/openca/htdocs(/.*)?,            /usr/share/selinux-pol‐
            icy[^/]*/html(/.*)?,   /usr/share/drupal.*,   /var/lib/trac(/.*)?,
            /var/www(/.*)?, /var/www/icons(/.*)?


# ls -lZd /var/www/html
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html

You could simply put the labels in place using chcon.

chcon -R -t httpd_sys_content_t /myapache

The best solution is to tell SELinux about the label change.

# semanage fcontext -a -t httpd_sys_content_t '/myapache(/.*)?'
# restorecon -R -v /myapache


Note:  If you wanted to allow httpd to write to the directory you would use the httpd_sys_rw_content_t type.

  • 1

Re: Deny process httpd read passwd (/etc/passwd) file

thanks for helping me.
" maybe denying read to apache via boolean? " Can i use boolean ?

  • 1

Log in

No account? Create an account