SELinux & apache/httpd access to /home/*/www
Cream[DONut]
lists at donut.dk
Fri Sep 17 12:17:19 UTC 2004
Daniel J Walsh wrote:
> What are the AVC messages you are seeing in the /var/log/messages file.
when starting httpd, it just fails, there are no AVC messages in
/var/log, but for testing purpose I set DocumentRoot to the / root of
the server, which worked, then i tried going to /home, which didnt work,
I couldnt open /home/xxxxxx or /home/xxxxxx/www.
These are the AVC's the server produced from starting the server and
accessing those folders:
Sep 17 13:54:05 DONut kernel: audit(1095422045.364:0): avc: denied {
getattr } for pid=1956 exe=/usr/sbin/httpd path=/misc dev=hda2
ino=7487489 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:default_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.365:0): avc: denied {
getattr } for pid=1956 exe=/usr/sbin/httpd path=/boot dev=hda1 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:boot_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.365:0): avc: denied {
getattr } for pid=1956 exe=/usr/sbin/httpd path=/backup dev=hda3 ino=2
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.368:0): avc: denied {
getattr } for pid=1956 exe=/usr/sbin/httpd path=/lost+found dev=hda2
ino=11 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.377:0): avc: denied {
getattr } for pid=1956 exe=/usr/sbin/httpd path=/selinux dev=selinuxfs
ino=760 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:security_t tclass=dir
Sep 17 13:54:17 DONut kernel: audit(1095422057.529:0): avc: denied {
read } for pid=1959 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t
tclass=dir
Sep 17 13:54:43 DONut kernel: audit(1095422083.486:0): avc: denied {
read } for pid=1963 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t
tclass=dir
Sep 17 13:54:46 DONut kernel: audit(1095422086.425:0): avc: denied {
read } for pid=1958 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t
tclass=dir
I'm not sure why it accesses /lost+found /backup /boot or /misc, it
certainly shouldnt be
for some reason the error messages for /home and /home/xxxxxx were
different.
/home produces a standard 403 Forbidden error, while /home/xxxxxx and
/home/xxxxxx/www produces a 403 + the added text "Additionally, a 403
Forbidden error was encountered while trying to use an ErrorDocument to
handle the request."
(for this test i disabled all virtual domains, and just had the main
server in /. when moved to /home it still produced 403)
> Yes system-config-securitylevel, you need to upgrade to a newer version.
> But you can edit the booleans file in /etc/selinux/targeted/booleans if
> you like and add a boolean
> http_disable_trans=1, then type "setsebool http_disable_trans 1". Stop
> and restart the http service.
>
> Get the AVC messages and we can get it working. audit2allow -i
> /var/log/messages
>
allow httpd_t boot_t:dir { getattr };
allow httpd_t default_t:dir { getattr };
allow httpd_t file_t:dir { getattr };
allow httpd_t home_root_t:dir { read };
allow httpd_t security_t:dir { getattr };
here are the AVC errors from when DocumentRoot pointed to /home (again
there are no AVC errors when pointing to /home/xxxxxx/www
Sep 17 14:09:44 DONut kernel: audit(1095422984.079:0): avc: denied {
read } for pid=2221 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t
tclass=dir
Sep 17 14:09:45 DONut kernel: audit(1095422985.732:0): avc: denied {
read } for pid=2222 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t
tclass=dir
Sep 17 14:10:00 DONut kernel: audit(1095423000.418:0): avc: denied {
read } for pid=2223 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t
tclass=dir
could it be this one missing?
allow httpd_t home_root_t:dir { read };
Regards
Kris
More information about the fedora-selinux-list
mailing list