Recently I tried to add a new virtual host in my RHEL4 server, and added my own configuration file stanley.conf in /etc/http/conf.d/. But to my suprise, the browser told me that I was forbidden to access my virtual host. After checking the system log, I found some log like following:
kernel: audit(1225360594.692:0): avc: denied { search } for pid=8372 exe=/usr/sbin/httpd name=mywebsite ino=2246112 scontext=root:system_r:httpd_t tcontext=user_u:object_r:user_home_t tclass=dir
What caused this failure?
In fact, it is caused by the SELinux mechanism in RHEL4 (This article doesn't cover detail topic related to SELinux, you can refer other material for futhur information). When a file is created, its security context is derived from its parent directory. So you have to make sure that the directory specified as the DocumentRoot of your virtual host has the security context required by Apache. The labels related Apache are list in following tables:
| Context Code
| Description
|
httpd_sys_content_t
| The type used by regular static web pages with .html and .htm extensions.
|
httpd_sys_script_ro_t
| Required for CGI scripts to read files and directories.
|
httpd_sys_script_ra_t
| Same as the httpd_sys_script_ro_t type but also allows appending data to files by the CGI script.
|
httpd_sys_script_rw_t
| Files with this type may be changed by a CGI script in any way, including deletion.
|
httpd_sys_script_exec_t
| The type required for the execution of CGI scripts
|
You can check the directory's security context by command:
ls -Z /home/mywebsite
to get its security context, such as user_u:object_r:user_home_t.
To modify the security context for Apache, you can use the command chcon, and then restart Apache server.
chcon -R -h -t httpd_sys_content_t /home/mywebsite
阅读(865) | 评论(0) | 转发(0) |
