Bug 163625 - selinux prevents httpd mod_userdir from working
Summary: selinux prevents httpd mod_userdir from working
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-19 16:50 UTC by long
Modified: 2007-11-30 22:11 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2005-07-19 17:42:19 UTC


Attachments (Terms of Use)

Description long 2005-07-19 16:50:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
httpd_enable_homedirs is set to active however a simple request of http://localhost/~username fails.  In the httpd error_log I get:

[Tue Jul 19 11:28:33 2005] [error] [client 127.0.0.1] (13)Permission denied: access to /~long denied

If I set httpd_disable_trans active then it works just fine.



Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.2-4

How reproducible:
Always

Steps to Reproduce:
1. Start apache with httpd_disable_trans not active
2. Try to access http://localhost/~username
3.
  

Actual Results:  Get Access Denied and message in httpd error_log.


Expected Results:  Should have seen normal web page.


Additional info:

n/a

Comment 1 Daniel Walsh 2005-07-19 17:26:05 UTC
Are you seeing avc messages?  Are you using ~long/public_html?

If yes can you restorecon -R -v ~long/public_html

Dan

Comment 2 long 2005-07-19 17:31:28 UTC
Wow, restorecon made a lot of noise but that seems to have fixed it.  I believe
there were some avc messages previously.  Would you like me to provide those or
is this a case of user error?



Comment 3 Daniel Walsh 2005-07-19 17:42:19 UTC
User error would be harsh.

In the man page this is discussed.

man httpd_selinux
...
       httpd  by  default is not allowed to access users home directories.  If
       you want to allow access to users home directories you need to set  the
       httpd_enable_homedirs  boolean and change the context of the files that
       you want people to access off the home dir.

              setsebool -P httpd_enable_homedirs 1
              chcon -R -t httpd_sys_content_t ~user/public_html


Comment 4 long 2005-07-19 17:45:32 UTC
aha!  I didn't know about that man page.  Thanks for pointing me to it.



Note You need to log in before you can comment on or make changes to this bug.