Re: How to set SELinux to allow apache-httpd only to access a particular user's content?

Wed, 13 Apr 2011 11:06:38 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/13/2011 01:00 PM, Varuna Seneviratna wrote:
> I tried to set the ServerRoot to a Directory in my home Dirctory.But
> when tried to start httpd after setting ServerRoot and saving the
> httpd.conf file SELinux repoted the following
> 
>        SELinux is preventing /usr/sbin/httpd from search access on the
> directory /home/<Home Directory>.
> 
>          *****  Plugin catchall_boolean (47.5 confidence) suggests
> *******************
> 
>        If you want to allow httpd to read user content
>        Then you must tell SELinux about this by enabling the
> 'httpd_read_user_content' boolean.
>       Do
>      setsebool -P httpd_read_user_content 1
> 
> I want to know How to set setsebool to allow httpd to access only the
> content of a particular user?
> 
> The manual pages of setsebool(8) and getsebool(8) can not be viewed,
> when the command man getsebool(8) the output is "-bash: syntax error
> near unexpected token `(' "
> 
> The SELinux FAQ at
> http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3128699
> is as follows
>       Q:
>         How do I enable/disable SELinux protection on specific daemons
> under the targeted policy?
>        A:
>            Use system-config-selinux, also known as the SELinux
> Administration graphical tool, to control the Boolean values of
> specific daemons. For example, if you need to disable SELinux for
> Apache to run correctly in your environment, you can disable the value
> in system-config-selinux. This change disables the transition to the
> policy defined in apache.te, allowing httpd to remain under regular
> Linux DAC security.
> The getsebool and setsebool commands can also be used, including on
> systems that do not have the system-config-selinux tool. Please refer
> to the manual pages for these commands: getsebool(8) and setsebool(8)
> for further details on their operation.
> 
> Varuna


Turn on httpd_enable_homedirs then label the data in /home/BLAH to be
httpd_sys_content_t.

# setsebool -P httpd_enable_homedirs 1
# semanage fcontext -a -t httpd_sys_content_t '/home/BLAH(/.*)?'
# restorecon -R -v /home/BLAH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2l5hsACgkQrlYvE4MpobM6RQCfW56Gfk9ZmbgWiz4tQt1sGaDN
djUAn3uJYHyB2tZ1+lFtDxyXoNwXJ7zG
=EHzH
-----END PGP SIGNATURE-----
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Reply via email to