 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Wed, 4 Apr 2012 01:27:18 +0900 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
On 04/04/2012 01:05 AM, Mike Chan wrote:
> > *From:* Tam Nguyen:
>>
>> Mike,
>> the link provided some clues, but you got to put them together. For
>> example, in your vhost configuration, you need to have this parameter,
>> which mentioned in the discussion:
>>
>> Options FollowSymLinks
>>
>>
>> but that alone is not enough. If the original file is on your local
>> server, then you need to validate its SELinux security context type to
>> match your vhost's SELinux security context type.
>> This is what you need:
>> httpd_sys_content_t
>
> Hi Tam,
> I m sorry the discussion in the link did not mention SELinux. How do I
> find this SELinux type? I am not familiar with SELinux.
Mike,
This depends on where your document root is for your vhost. If your html
files are in /var/www/html someplace then you should be OK with the
normal SELinux settings. If your html files are in
/home/yourname/public-html or some place like that you will need to
change the SELinux context for the directory tree that the html files
are in *and* you will need to set some SELinux booleans that give Apache
permission to see outside of /var/www.
A quick rundown on SELinux permissions:
An "SELinux context" is just like another type of file permission, but
it is more detailed. Normal Unix file permissions look like this (using
the command "ls -l"):
[ceverett@taco www]$ ls -l
drwxr-xr-x. 4 root root 4096 Mar 19 15:37 stat
drwxr-xr-x. 2 root root 4096 Apr 3 00:07 wsgi-sc
The "drwxr-xr-x" part is the normal permissions like you're probably
used to seeing already, along with the owner of the directories in my
/var/www directory.
SELinux contexts are additional permissions that act sort of like
permission zones. You can see them by using the "ls -Z" command:
[ceverett@taco www]$ ls -Z
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 stat
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 wsgi-sc
Now look at the difference between these permissions and a directory in
my home folder:
[ceverett@taco ~]$ ls -Z
drwxrwxr-x. ceverett ceverett unconfined_u:object_r:home_bin_t:s0 bin
drwxrwxr-x. ceverett ceverett unconfined_u:object_r:user_home_t:s0 Code
You see that there are a few different context types listed. This the
kind of thing that must change for Apache to see into a place other than
/var/www.
To set Unix permissions you use the command "chmod", but to change
SELinux permissions you use the command "chcon".
I suggest reading "man chcon" a little to understand what is going on
before you just start goin crazy chconning everything.
-z
|
|
|
