SELinux与apache共存且开放apache目录读写权限

实现细节见一下脚本的注释,在CentOS 5,CentOS 6环境下测试通过。
1. 安装SELinux的python管理包
yum -y install policycoreutils-python
2. 为apache设置保护策略
echo “set selinux option for httpd…”
/usr/sbin/semanage permissive -a httpd_t
3. 增加目录的读写权限,您可根据您的apache的配置目录和需要更改目录
#semanage fcontext -d
echo “semanage fcontext -a -t public_content_rw_t /usr/local/mcm_cgi/log”
semanage fcontext -a -t public_content_rw_t /usr/local/mcm_cgi/log

echo “semanage fcontext -a -t public_content_rw_t /usr/local/mcm_cgi/htdocs/upload_tmp”
semanage fcontext -a -t public_content_rw_t /usr/local/mcm_cgi/htdocs/upload_tmp
4. 增加目录的执行权限,对于cgi和php目录需要
echo “semanage fcontext -a -t httpd_sys_script_exec_t /usr/local/mcm_cgi/bin/*”
semanage fcontext -a -t httpd_sys_script_exec_t /usr/local/mcm_cgi/bin/*
echo “set selinux option for httpd ok”

5. 对于上述操作,如果想删除权限,可执行如下操作
semanage fcontext -d 您的目录

6. 附上我的apache虚拟主机配置:
Listen 10008
NameVirtualHost *:10008

ServerAdmin webmaster@qq.com
DocumentRoot /usr/local/mcm/mcm_cgi/htdocs
ServerName 192.168.1.183
ScriptAlias /cgi-bin/ “/usr/local/mcm/mcm_cgi/bin/”
AddDefaultCharset off
ErrorLog logs/mcm.ErrorLog.log
CustomLog logs/mcm.CustomLog.log common

7. 对于cgi中执行system调用其他系统命令,请参考我的文章
apache增加sudo权限,允许在cgi中调用system执行命令

回复

你的邮件地址不会被公开(Your email address will not be published.) Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>