FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 06-14-2008, 03:05 PM
Craig White
 
Default simple question with home serviing ruby on rails web site

I'm running in permissive mode so all I'm getting is warnings but I'm
wondering the best way to solve this...

error every time httpd starts...

SELinux has denied httpd access to potentially mislabeled file(s)
(./svn-new). This means that SELinux will not allow httpd to use these
files. It is common for users to edit files in their home directory or
tmp directories and then move (mv) them to system directories. The
problem is that the files end up with the wrong file context which
confined applications are not allowed to access. Allowing AccessIf you
want httpd to access this files, you need to relabel them using
restorecon -v './svn-new'. You might want to relabel the entire
directory using restorecon -R -v './svn-new'. Additional
InformationSource Context:
system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context:
user_ubject_r:user_home_tTarget Objects: ./svn-new [ dir ]Source:
httpdSource Path: /usr/sbin/httpd


/home/craig/svn-new is an svn checkout and is the 'RAILS ROOT' directory
for the web server.

$ ls -ldZ /home/craig/svn-new/
drwxrwxr-x craig craig
user_ubject_r:user_home_t /home/craig/svn-new/

This is on Fedora 9. In the past, I could have used
system-config-security and set selinux to allow web page serving from
user home directories but I don't see that tool any more.

What's the best way to handle this?

Craig


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 06-14-2008, 03:51 PM
Paul Howarth
 
Default simple question with home serviing ruby on rails web site

On Sat, 14 Jun 2008 08:05:56 -0700
Craig White <craigwhite@azapple.com> wrote:

> I'm running in permissive mode so all I'm getting is warnings but I'm
> wondering the best way to solve this...
>
> error every time httpd starts...
>
> SELinux has denied httpd access to potentially mislabeled file(s)
> (./svn-new). This means that SELinux will not allow httpd to use these
> files. It is common for users to edit files in their home directory or
> tmp directories and then move (mv) them to system directories. The
> problem is that the files end up with the wrong file context which
> confined applications are not allowed to access. Allowing AccessIf you
> want httpd to access this files, you need to relabel them using
> restorecon -v './svn-new'. You might want to relabel the entire
> directory using restorecon -R -v './svn-new'. Additional
> InformationSource Context:
> system_u:system_r:httpd_t:SystemLow-SystemHighTarget Context:
> user_ubject_r:user_home_tTarget Objects: ./svn-new [ dir ]Source:
> httpdSource Path: /usr/sbin/httpd
>
>
> /home/craig/svn-new is an svn checkout and is the 'RAILS ROOT'
> directory for the web server.
>
> $ ls -ldZ /home/craig/svn-new/
> drwxrwxr-x craig craig
> user_ubject_r:user_home_t /home/craig/svn-new/
>
> This is on Fedora 9. In the past, I could have used
> system-config-security and set selinux to allow web page serving from
> user home directories but I don't see that tool any more.
>
> What's the best way to handle this?

Easiest is just to fix the contexts of the files:

# semanage fcontext -a -t httpd_sys_content_t
'/home/craig/svn-new(/.*)?'
# restorecon -rv /home/craig/svn-new

I'm not familiar with rails or how you maintain your svn checkout, so
httpd_sys_content_t may not be the appropriate type for all of the
content (are there any scripts in there, are you uploading content via
ftp, samba, etc.?). Since you're in permissive mode, it's not going to
cause you any problem other than possibly different warnings though.
If you maintain the checkout by manually doing an "svn update" from
your regular account, and the content isn't "executed" by httpd,
httpd_sys_content_t should be fine.

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 12:46 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org