Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163625 - selinux prevents httpd mod_userdir from working
Summary: selinux prevents httpd mod_userdir from working
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 4
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-19 16:50 UTC by long
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-07-19 17:42:19 UTC


Attachments (Terms of Use)

Description long 2005-07-19 16:50:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.7.8-2

Description of problem:
httpd_enable_homedirs is set to active however a simple request of http://localhost/~username fails.  In the httpd error_log I get:

[Tue Jul 19 11:28:33 2005] [error] [client 127.0.0.1] (13)Permission denied: access to /~long denied

If I set httpd_disable_trans active then it works just fine.



Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.25.2-4

How reproducible:
Always

Steps to Reproduce:
1. Start apache with httpd_disable_trans not active
2. Try to access http://localhost/~username
3.
  

Actual Results:  Get Access Denied and message in httpd error_log.


Expected Results:  Should have seen normal web page.


Additional info:

n/a

Comment 1 Daniel Walsh 2005-07-19 17:26:05 UTC
Are you seeing avc messages?  Are you using ~long/public_html?

If yes can you restorecon -R -v ~long/public_html

Dan

Comment 2 long 2005-07-19 17:31:28 UTC
Wow, restorecon made a lot of noise but that seems to have fixed it.  I believe
there were some avc messages previously.  Would you like me to provide those or
is this a case of user error?



Comment 3 Daniel Walsh 2005-07-19 17:42:19 UTC
User error would be harsh.

In the man page this is discussed.

man httpd_selinux
...
       httpd  by  default is not allowed to access users home directories.  If
       you want to allow access to users home directories you need to set  the
       httpd_enable_homedirs  boolean and change the context of the files that
       you want people to access off the home dir.

              setsebool -P httpd_enable_homedirs 1
              chcon -R -t httpd_sys_content_t ~user/public_html


Comment 4 long 2005-07-19 17:45:32 UTC
aha!  I didn't know about that man page.  Thanks for pointing me to it.



Note You need to log in before you can comment on or make changes to this bug.