How to set context allowing user to modify /var/www

lvona · #1 22nd November 2006, 05:17 PM

I tried posting this to the selinux mailing-list, but it never showed up, so here we go.

I have been struggling with the following problem for ages. I simply want to allow ftp/sftp remote access to the /var/www/html folder on my FC5 linux box. I have a user -- webmaster -- with /var/www as his home dir. I have made webmaster a member of the apache group, and apache:apache is the ownership on /var/www and subdirs.

What commands (semanage, newrole, etc.) do I need to run to allow webmaster (context: user_u:system_r:unconfined_t) to make changes to /var/www and it's subdirs? (context: system_u:object_r:httpd_sys_content_t)

SlowJet · #2 22nd November 2006, 09:10 PM

I goofed up my replies to that list to becuase I haven't been on a list for while.

I think it is about reply-all vs. reply?

Anyway, try again because
1. No one here is going to know that much detail about your SELinux questions and
2. I think there may be a beter way of doing what you what to do.

SJ

lvona · #3 23rd November 2006, 12:09 AM

Thanks, SJ.

I tried posting twice, though already. Postfix tells me I'm getting greylisted, to which I take no offense

, but after the reported 30 min ban, my post still doesn't show up.

If you can imagine another way of doing things, could you give me a lead? Just off the top of the head. I'm pretty self-sufficient with this kind of stuff, but this one has me stumped.

But, I refuse to turn off SELINUX. It's so powerful, and I am devoted to adoption.

I really want to get the PRODUCTION WEB SERVER I'm running off the XP WORKSTATION it's running on, (a workstation still in use, BTW

) and onto something a little more secure and easy to monitor. But, if I can't provide sftp to the live dirs, developers can't post content without me copying it from their home dirs manually.

I don't like waking up at 5AM to post content. All 'sudo cp' and no sleep makes Jack kill EVERYONE.

stanjam · #4 23rd November 2006, 06:40 AM

I would have your webmaster scp files into your linux box in a seperate folder. This folder becomes essentially a test box for your web site (always a good idea before going live). You can then test the files locally with your web browser and transfer them to the var/www folder as root and set up the permissions you need for the public to have access.

SlowJet · #5 24th November 2006, 07:44 AM

I nominate stanjam to write a How-TO for web and ftp content providers to a FC SElinux enabled Linux box.

Do I here a second? Ivona?

SJ