[CentOS] Apache, SELinux, and document root on a different partition

Mon Dec 1 20:26:20 UTC 2008
Kenneth Porter <shiva at sewingwitch.com>

On Monday, December 01, 2008 10:26 AM -0500 Rick Barnes 
<linux at sitevision.com> wrote:

> Try this:
>
># grep httpd /var/log/audit/audit.log | audit2why
>
> The output should explain why you are getting the permission denials.

Alas, it didn't really tell me more than what I could see in the log lines.

What helped was to download the source RPM for the policy:

selinux-policy-2.4.6-137.el5.src.rpm

This is like a kernel source package, and has all the text files that are 
compiled to become the installed binary policy. Hence, it's very handy for 
grepping through to understand how all the rules work. It also identified 
that there's a man page full of handy sebools for more fine-grained control 
of the web server policy. Use "man httpd_selinux" to view it.

Looking more carefully at my log lines, I realized that the "/" being 
referred to was not the "real" root but the root of the mounted device, and 
it had type file_t. That's not a directory type that Apache is allowed to 
search. For now, I've changed it to var_t, which is one that's allowed, and 
things now work.

chcon -t var_t /mnt/bigdisk2