Red Hat Enterprise Linux 5 Administration Unleashed

Working with Security Contexts 473LISTING 23.5ContinuedPlatformLinux smallville 2.6.18-1.2961.el5 #1 SMP Wed Jan3 14:35:32 EST 2007 x86_64 x86_64Alert Count 12Line NumbersRaw Audit Messagesavc: denied { getattr } for comm=”httpd” dev=dm-1 egid=48 euid=48exe=”/usr/sbin/httpd” exit=-13 fsgid=48 fsuid=48 gid=48 items=0name=”index.html” path=”/home/html/index.html” pid=19312scontext=user_u:system_r:httpd_t:s0 sgid=48 subj=user_u:system_r:httpd_t:s0suid=48 tclass=file tcontext=user_u:object_r:user_home_t:s0 tty=(none) uid=4823TIPTo save the output of the sealert -l command, redirect it into a filesuch as:sealert -l e2d75f44-7c89-4fc1-a06b-23603ab00af8 > httpd_selinux_errors.txtYou can also generate the output in HTML format by adding the -H command lineoption:sealert -H -l e2d75f44-7c89-4fc1-a06b-23603ab00af8 >➥httpd_selinux_errors.txtFigure 23.4 shows the same analysis viewed from the graphical browser of the SELinuxTroubleshooting Tool.The description of the problem from the SELinux Troubleshooting Tool is correct. Thefiles in the DocumentRoot for the web server are mislabeled. The instructions in theAllowing Access section are suggestions that may or may not fix the problem. In thiscase, using the restorecon command to relabel does not properly label the files for theDocumentRoot.The security context of the new DocumentRoot must be changed so that SELinux recognizesthe files in it as valid web pages to use with the Apache HTTP Server. The securitycontext of the /home/html/ directory is the following (output from ls -d -Z /home/htmlcommand):drwxr-xr-x root root root:object_r:user_home_dir_t /home/htmlUse the chcon command with the -R option to recursively change the security context ofthe directory. Since the -R option is used, the security context for all files and subdirectoriesis changed too. The command is as follows:chcon -v -R —user=system_u —role=object_r —type=httpd_sys_content_t /home/html