Red Hat Bugzilla – Bug 469447
Unable to expose ISO through httpd due to SELinux
Last modified: 2008-12-21 03:34:50 EST
Created attachment 322139 [details]
Contents of the SELinux alert
I ran the following commands as root, intending to use my local web server as a source for a network install on a nearby machine:
mount -o loop -t iso9660 /backup/f10-snap3/Fedora-10-Snap3-x86_64-DVD/Fedora-10-Snap3-x86_64-DVD.iso /var/www/html/fedora/
When I tried to access the file via HTTP, I got an SELinux denial alert, which said:
"If you want to change the file context of /var/www/html/fedora so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/www/html/fedora'."
However, when I do this, I get an error:
chcon: failed to change context of `/var/www/html/fedora' to `system_u:object_r:httpd_sys_content_t:s0': Read-only file system
I'm not sure there's a good security reason for denying Apache access to subdirectories of /var/www/html/, but in any case it would be nice if whatever solution is suggested by the system actually works. For now, I'm disabling SELinux so I can proceed with my installation.
This is with selinux-policy-targeted-3.3.1-103.fc9.noarch and httpd-2.2.9-1.fc9.i386.
mount -o loop,context="system_u:object_r:httpd_sys_content_t:s0" -t iso9660
Fix the problem?
This should be just allowed, added policy for RHEL5, F10 and Rawhide.
Should be added to F9 policy.
Fixed in selinux-policy-3.3.1-115.fc9.noarch
selinux-policy-3.3.1-115.fc9 has been submitted as an update for Fedora 9.
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing-newkey update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11122
selinux-policy-3.3.1-116.fc9 has been submitted as an update for Fedora 9.
Sorry for the slow response; selinux-policy-3.3.1-115.fc9.noarch fixes the problem. Thanks!
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.