[CentOS] Apache, SELinux, and document root on a different partition
Kenneth Porter
shiva at sewingwitch.com
Mon Dec 1 20:26:20 UTC 2008
On Monday, December 01, 2008 10:26 AM -0500 Rick Barnes
<linux at sitevision.com> wrote:
> Try this:
>
># grep httpd /var/log/audit/audit.log | audit2why
>
> The output should explain why you are getting the permission denials.
Alas, it didn't really tell me more than what I could see in the log lines.
What helped was to download the source RPM for the policy:
selinux-policy-2.4.6-137.el5.src.rpm
This is like a kernel source package, and has all the text files that are
compiled to become the installed binary policy. Hence, it's very handy for
grepping through to understand how all the rules work. It also identified
that there's a man page full of handy sebools for more fine-grained control
of the web server policy. Use "man httpd_selinux" to view it.
Looking more carefully at my log lines, I realized that the "/" being
referred to was not the "real" root but the root of the mounted device, and
it had type file_t. That's not a directory type that Apache is allowed to
search. For now, I've changed it to var_t, which is one that's allowed, and
things now work.
chcon -t var_t /mnt/bigdisk2
More information about the CentOS
mailing list