Description of problem: The SELinux boolean httpd_enable_homedirs (and combined with httpd_read_user_content) is supposed to allow access to user home directories. It allows access to context user_home_t, but it doesn't allow access to context audio_home_t, which is the context of ~/Music. There are plenty of reasons why users may want to make their Music directories (or a symbolic link to them) visible under Apache, but it is impossible. httpd_enable_homedirs should also allow access to audio_home_t labeled files and dirs. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-71.fc16.noarch How reproducible: Always Steps to Reproduce: 1. Configure Apache httpd.conf to allow UserDir access and follow Symlinks. 2. ln -s ~/Music ~/public_html/Music 3. setsebool -P httpd_enable_homedirs 1 httpd_read_user_content 1 4. chcon -R -t httpd_sys_content_t ~/public_html 5. Browse to "~/" Actual results: Directory listing of all files in public_html, including symlinks to locations in home directory, *except* for Music. The following entry in /var/log/audit/audit.log: type=AVC msg=audit(1327252544.527:1518): avc: denied { read } for pid=903 comm="httpd" name="Music" dev=dm-2 ino=16613395 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:audio_home_t:s0 tclass=dir Expected results: Music home directory should also be listed. Additional info: Yes, I suppose I can put my music somewhere else other than Music/, but it seems like a waste to have a special SELinux context that doesn't do what I want for music. If I want httpd to have access to user home directories, then surely I want it to be able to access audio_home_t as well as user_home_t labeled filed.
I added a fix to Rawhide. Will backport.
selinux-policy-3.10.0-74.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-74.fc16
Thanks, I tried the submitted package and it fixed the problem.
Could you update karma, please.
I'd love to, only I can't remember my Fedora account username (though I know the associated email address). The "forgot password" link requires that you know both your email address *and* username in order to reset the password. Unlike other websites, there's no option for retrieving username based on email address. It won't let me create another account for my email address because that email address is already in use. I know my bugzilla account, obviously, since I've used that more. If I comment on the update without logging in, it won't get real karma. My apologies.
Package selinux-policy-3.10.0-74.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-74.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0983/selinux-policy-3.10.0-74.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-74.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.