Bug 141963
Summary: | SSI includes not working with targeted policy enabled | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mace Moneta <moneta.mace> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-12-06 18:46:08 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mace Moneta
2004-12-06 14:32:57 UTC
Clarification: While the system-config-securitylevel application identifies the change as "Enable" for the policy, it is switching between enforcing and permissive. Also, in permissive mode, the following messages are shown in /var/log/messages: Dec 6 09:48:18 buggsb kernel: audit(1102344498.928:0): avc: denied { getattr } for pid=14298 exe=/usr/sbin/httpd path=/home/weblog/Header1.html dev=dm-0 ino=6225995 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=file Dec 6 09:48:18 buggsb kernel: audit(1102344498.928:0): avc: denied { getattr } for pid=14298 exe=/usr/sbin/httpd path=/home/weblog/Header1.html dev=dm-0 ino=6225995 scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=file The problem you're running into is that you're trying to store web content in a home directory. Notice the type of the file is user_home_t, which httpd_t is not allowed to read. For more information, see: http://fedora.redhat.com/docs/selinux-apache-fc3/ Your options are: 1) Label the files as httpd_sys_content_t, which should work 2) Disable SELinux enforcement for Apache if you can't get it to work (see the guide for how to do that) Ah, that's what I was missing. Setting "Allow HTTPD to read home directories" in system-config-securitylevel didn't change the file/directory contexts. I had assumed it would. Closing. |