[CentOS] Re: Digest Subcriber needs help with SELinux file context setting

James B. Byrne byrnejb at harte-lyne.ca
Tue Dec 18 21:17:47 UTC 2007


Filipe Brandenburger filbranden at gmail.com at Tue Dec 18 19:06:50 UTC
2007 wrote:

> Hi,
>
> I'm no SELinux expert, but I think the issue is that under SELinux's
> targeted policy, Apache will refuse to write to a directory with etc_t
> type.  It can, however, write to a directory with the httpd_log_t
> type, such as /var/log/httpd. Couldn't you just write the logs to
> /var/log/httpd instead? As these seem to be logs, writing them under
> the /var/log directory tree seems to be more appropriate.

True, very true, but these are rewrite logs and I only have the logging
turned on when I am developing and testing new rules (or debugging old
ones). So I find it convenient to have the log and the configuration file
in the same directory.

> Alternatively, you can change the type of the directory you're writing
> to by using "chcon -t httpd_log_t /etc/httpd/virtual.d", but if you
> have other files (other than these log files) on this directory you may
> have other unexpected collateral effects.

I will examine this aspect of policies further now that I have a starting
point.  I was very unclear as to what was going on here and this has
helped.

> Please note that I'm no SELinux expert though.

Never met one myself although I suppose that they exist in the wild. 
Thanks for the help.

Regards,
Jim


-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




More information about the CentOS mailing list