You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Bill Tangren <bj...@aa.usno.navy.mil> on 2006/01/26 23:02:35 UTC

[users@httpd] making apache work with SELinux

Hello all,

I hope I'm addressing this question to the correct group.

I am trying to run apache (version 2.0.52-22) on a RedHat system (kernel version 
2.6.9-22.0.2), and SELinux is preventing access to the site (Forbidden).

I have done quite a bit of googling on this, including the archives for this 
list, and haven't found the answer. So, here goes.

We have our web pages in directory /home/httpd. The cgi apps are in 
/home/httpd/cgi-bin, and the logs are in /home/httpd/logs.

I used chcon on the root directory first:

# chcon -R -t httpd_sys_content_t /home/httpd

This allowed the server to start (the server needed permission to access the 
logs) and it made the home page appear in my web browser. I then used this 
command again on the cgi-bin directory:

# chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin

This made the scripts work. The problem comes in because some of these cgi's 
call binary executables, which reside in /home/httpd/bin, and THOSE executables 
call data files located in /home/httpd/data.

I could not get the binaries to execute at all at first. Then I executed this:

# chcon -R -t httpd_sys_script_exec_t /home/httpd/bin

without knowing whether or not it was proper to do so. This *seems* to make the 
binaries start execution, but they seem to fail when trying to access the data 
files. Those data files are located in a directory that has *.html files, so I 
didn't change the SELinux properties of that directory, but I *did* change them 
on the data files. No joy. I'm not even sure *what* I should change those 
properties to, anyway.

Does anyone know how to fix this?

TIA,

Bill Tangren

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org