配置 SELinux 访问权限，以便 Apache 可以访问挂载的目录 [英] Configure SELinux access so that Apache can access mounted directories

问题描述

我在/var/www/html/ict 中有一个从家里挂载的目录.允许用户权限很好，但仍然通过网络浏览器出现 403 错误.

I have a mounted directory from home in /var/www/html/ict. Allow user permissions are fine but still through the web browser I get 403 error.

我怀疑 SELinux 不允许来自其他位置的文件和目录.你能帮我添加相关权限以便修复吗.

SELinux I suspect does not allow files and directories coming from other locations. Can you help me add the relevant permission so that this can fixed.

来自审计文件的错误日志:

The error log from the audit file:

    type=AVC msg=audit(1395610534.041:179195): avc:  denied  { search } for  pid=18370 comm="httpd" name="upload" dev=dm-0 ino=2506938 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1395610534.041:179195): arch=c000003e syscall=4 success=no exit=-13 a0=7ffb5f863bc8 a1=7fff80a374c0 a2=7fff80a374c0 a3=0 items=0 ppid=3075 pid=18370 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1395610534.043:179196): avc:  denied  { getattr } for  pid=18370 comm="httpd" path="/var/www/html/ict/farengine" dev=dm-0 ino=2506938 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1395610534.043:179196): arch=c000003e syscall=6 success=no exit=-13 a0=7ffb5f863cb0 a1=7fff80a374c0 a2=7fff80a374c0 a3=1 items=0 ppid=3075 pid=18370 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

推荐答案

与其简单地提供一个链接，但又不能完全撕掉该链接的内容，不如说一下.

Rather than simply provide a link, but not completely rip off the content of that link, here's the run down.

安装包含 SEMANAGE 的 policycoreutils-python，以允许设置允许 Apache 读取或读取/写入 DocumentRoot 之外的区域的策略.

Install policycoreutils-python that contains SEMANAGE, to allow policy to be set up that will allow Apache to read, or read/write area outside of the DocumentRoot.

yum install -y policycoreutils-python

文章还提到了一个故障排除包，但是我的机器找不到它.

The article also mentioned a trouble shooting package, but my machine could not locate it.

为属于您的应用程序一部分的只读区域创建策略，在 DocumentRoot 之外

Create policy for read only areas that are a part of your application, outside of the DocumentRoot

semanage fcontext -a -t httpd_sys_content_t "/webapps(/.*)?"

创建用于记录目录的策略

Create policy for logging directories

semanage fcontext -a -t httpd_log_t "/webapps/logs(/.*)?"

为缓存目录创建策略

semanage fcontext -a -t httpd_cache_t "/webapps/cache(/.*)?"

为 DocumentRoot 之外的读/写区域创建策略

Create policy for read/write areas that are outside of the DocumentRoot

semanage fcontext -a -t httpd_sys_rw_content_t "/webapps/app1/public_html/uploads(/.*)?"

使用 restorecon 命令应用策略

Apply the policy with the restorecon command

restorecon -Rv /webapps

验证政策已应用

ls -lZ /webapps

一言以蔽之.原创文章不过读起来更好看.

That's it in a nutshell. The original article is nicer to read, however.

这篇关于配置 SELinux 访问权限，以便 Apache 可以访问挂载的目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！