Bug 143490 - SELinux FAQ - mention chcon, use apache as example?
SELinux FAQ - mention chcon, use apache as example?
Status: CLOSED CURRENTRELEASE
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Wade
Tammy Fox
http://people.redhat.com/kwade/fedora...
: FutureFeature
Depends On:
Blocks: 118757
  Show dependency treegraph
 
Reported: 2004-12-21 11:57 EST by Idcmp
Modified: 2007-04-18 13:17 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-31 12:56:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Idcmp 2004-12-21 11:57:12 EST
Please include a mention of 'chcon' in the FAQ.  Possibly use an 
example of manually adding apache-accessible files to the system.
Comment 1 Karsten Wade 2004-12-21 13:53:47 EST
Set to block tracker bug#118757.  I'll include this addition in the
next round of updates.
Comment 2 Karsten Wade 2004-12-31 12:56:34 EST
Included in 1.3-5, coming live soon.
Comment 3 Karsten Wade 2004-12-31 12:59:09 EST
Forgot to include the text as it appears in the FAQ.

## begin new Q/A


Q: How do I make a user public_html directory work under SELinux?

A: This process presumes that you have enabled user public HTML directories in
Apache HTTP configuration (/etc/httpd/conf/httpd.conf). This process only covers
serving static Web content. For more information about Apache HTTP and SELinux,
refer to http://fedora.redhat.com/docs/selinux-apache-fc3/.

   1. If you do not already have one, you will need to create the public_html
directory and populate it with the files and folders to be served.

cd ~
mkdir public_html
cp /path/to/content ~/public_html

   2. At this point, httpd is configured to serve the contents, but you will
still receive a 403 forbidden error. This is because httpd is not allowed to
read the security type for the directory and files as they are created in the
user's home directory. To solve this, change the security context of the folder
and its contents recursively using the -R option:

ls -Z -d
drwxrwxr-x  auser    auser    user_u:object_r:user_home_t      public_html
chcon -R -t httpd_user_content_t
ls -Z -d public_html/
drwxrwxr-x  auser    auser    user_u:object_r:httpd_user_content_t public_html/
ls -Z public_html/
-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t bar.html
-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t baz.html
-rw-rw-r--  auser    auser    user_u:object_r:httpd_user_content_t foo.html

     You may notice at a later date that the user field, set here to user_u, is
changed to system_u. This does not affect how the targeted policy works; the
field that matters is the type field.

   3. You should now be able to serve the static webpages. If you continueto
have errors, check to see that the Boolean that enables user home directories is
enabled. This can be set using system-config-securitylevel, under the SELinux
tab within the Modify SELinux Policy area, enabling Allow HTTPD to read home
directories. The changes take effect immediately. 

## 30 ##

Note You need to log in before you can comment on or make changes to this bug.