CentOS - Nov 2008 - Apache, SELinux, and document root on a different partition

I want to put the document root for an application on a separate paritition 
that has more space. When I try to configure this I can't access the files 
in the new location. I've got the SELinux attributes set on the directory 
and its files, so I'm thinking it's something about the parent path that
SELinux doesn't like, but I don't know where that's handled.

My partition is mounted to /mnt/bigdisk2, and I put the app in the wbb3tmp 
subdirectory there:

[root at centos wbb3-tmp]# ls -Za
drwxr-xr-x  apache apache system_u:object_r:httpd_sys_content_t .
drwxr-xr-x  root   root   system_u:object_r:file_t         ..
-rw-r--r--  apache apache system_u:object_r:httpd_sys_content_t 
WCFSetup.tar.gz
-rw-r--r--  apache apache system_u:object_r:httpd_sys_content_t index.html
-rw-r--r--  apache apache system_u:object_r:httpd_sys_content_t install.php
-rw-r--r--  apache apache system_u:object_r:httpd_sys_content_t test.php
[root at centos wbb3-tmp]# pwd
/mnt/bigdisk2/wbb3-tmp


My Apache VirtualHost block contains this:

Alias /wbb3-tmp /mnt/bigdisk2/wbb3-tmp

<Directory "/mnt/bigdisk2/wbb3-tmp">
        AllowOverride AuthConfig Options Limit
        Options +Indexes -ExecCGI +FollowSymLinks +MultiViews
        Order allow,deny
        Allow from all
</Directory>

This works if I disable SELinux.

On Sun, 2008-11-30 at 05:56 -0800, Kenneth Porter wrote:
> This works if I disable SELinux.
You forgot one important bit: the actual denials.

-- 
Ignacio Vazquez-Abrams <ivazqueznet at gmail.com>

PLEASE don't CC me; I'm already subscribed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL:
<http://lists.centos.org/pipermail/centos/attachments/20081130/c2cc6510/attachment-0003.sig>

--On Sunday, November 30, 2008 9:02 AM -0500 Ignacio Vazquez-Abrams 
<ivazqueznet at gmail.com> wrote:
> You forgot one important bit: the actual denials.
I don't find anything in /var/log/audit/audit.log nor /var/log/messages. 
audit.log looks like the right place but it's not logged anything since 
June. Do I need to enable this? (I suspect another admin turned it off 
inadvertantly.) The auditd service is running.

I'm finding that auditd will in fact log to the console if I run it with -f 
(don't fork). But it's not writing the entries to
/var/log/audit/audit.log.
I think I have enough disk space. The default config suspends auditing when 
free space falls below 50 and 75 megabytes, and df shows over 6 GB 
available.

Here's what I'm seeing logged. (Newlines added to make it easier to see
the
log line boundaries with wrapping.) It looks like it's failing to traverse 
the root directory to get to the directory with the content in it, but why 
doesn't it fail on /var/www/html or home directory content, which must also 
do that?

type=AVC msg=audit(1228142052.656:3183659): avc:  denied  { search } for 
pid=29382 comm="httpd" name="/" dev=cciss/c0d2p1 ino=2 
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=dir

type=SYSCALL msg=audit(1228142052.656:3183659): arch=40000003 syscall=195 
success=no exit=-13 a0=d75a6f0 a1=bfa4aadc a2=5ccff4 a3=8170 items=0 
ppid=24589 pid=29382 auid=555 uid=48 gid=48 euid=48 suid=48 fsuid=48 
egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd"
exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1228142052.657:3183660): avc:  denied  { getattr } for 
pid=29382 comm="httpd" name="/" dev=cciss/c0d2p1 ino=2 
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 
tclass=dir

type=SYSCALL msg=audit(1228142052.657:3183660): arch=40000003 syscall=196 
success=no exit=-13 a0=d75a768 a1=bfa4aadc a2=5ccff4 a3=2008171 items=0 
ppid=24589 pid=29382 auid=555 uid=48 gid=48 euid=48 suid=48 fsuid=48 
egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd"
exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)

type=AVC_PATH msg=audit(1228142052.657:3183660):  path="/mnt/bigdisk2"