SELinux & apache/httpd access to /home/*/www

Cream[DONut] lists at donut.dk
Fri Sep 17 12:17:19 UTC 2004 

Daniel J Walsh wrote:
> What are the AVC messages you are seeing in the /var/log/messages file.

when starting httpd, it just fails, there are no AVC messages in 
/var/log, but for testing purpose I set DocumentRoot to the / root of 
the server, which worked, then i tried going to /home, which didnt work, 
I couldnt open /home/xxxxxx or /home/xxxxxx/www.

These are the AVC's the server produced from starting the server and 
accessing those folders:

Sep 17 13:54:05 DONut kernel: audit(1095422045.364:0): avc:  denied  { 
getattr } for  pid=1956 exe=/usr/sbin/httpd path=/misc dev=hda2 
ino=7487489 scontext=root:system_r:httpd_t 
tcontext=system_u:object_r:default_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.365:0): avc:  denied  { 
getattr } for  pid=1956 exe=/usr/sbin/httpd path=/boot dev=hda1 ino=2 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:boot_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.365:0): avc:  denied  { 
getattr } for  pid=1956 exe=/usr/sbin/httpd path=/backup dev=hda3 ino=2 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.368:0): avc:  denied  { 
getattr } for  pid=1956 exe=/usr/sbin/httpd path=/lost+found dev=hda2 
ino=11 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t 
tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.377:0): avc:  denied  { 
getattr } for  pid=1956 exe=/usr/sbin/httpd path=/selinux dev=selinuxfs 
ino=760 scontext=root:system_r:httpd_t 
tcontext=system_u:object_r:security_t tclass=dir
Sep 17 13:54:17 DONut kernel: audit(1095422057.529:0): avc:  denied  { 
read } for  pid=1959 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t 
tclass=dir
Sep 17 13:54:43 DONut kernel: audit(1095422083.486:0): avc:  denied  { 
read } for  pid=1963 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t 
tclass=dir
Sep 17 13:54:46 DONut kernel: audit(1095422086.425:0): avc:  denied  { 
read } for  pid=1958 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t 
tclass=dir

I'm not sure why it accesses /lost+found /backup /boot or /misc, it 
certainly shouldnt be

for some reason the error messages for /home and /home/xxxxxx were 
different.

/home produces a standard 403 Forbidden error, while /home/xxxxxx and 
/home/xxxxxx/www produces a 403 + the added text "Additionally, a 403 
Forbidden error was encountered while trying to use an ErrorDocument to 
handle the request."

(for this test i disabled all virtual domains, and just had the main 
server in /. when moved to /home it still produced 403)

> Yes system-config-securitylevel, you need to upgrade to a newer version.
>  But you can edit the booleans file in /etc/selinux/targeted/booleans if 
> you like and add a boolean
> http_disable_trans=1, then type "setsebool http_disable_trans 1".   Stop 
> and restart the http service.
> 
> Get the AVC messages and we can get it working. audit2allow -i 
> /var/log/messages
> 

allow httpd_t boot_t:dir { getattr };
allow httpd_t default_t:dir { getattr };
allow httpd_t file_t:dir { getattr };
allow httpd_t home_root_t:dir { read };
allow httpd_t security_t:dir { getattr };


here are the AVC errors from when DocumentRoot pointed to /home (again 
there are no AVC errors when pointing to /home/xxxxxx/www

Sep 17 14:09:44 DONut kernel: audit(1095422984.079:0): avc:  denied  { 
read } for  pid=2221 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t 
tclass=dir
Sep 17 14:09:45 DONut kernel: audit(1095422985.732:0): avc:  denied  { 
read } for  pid=2222 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t 
tclass=dir
Sep 17 14:10:00 DONut kernel: audit(1095423000.418:0): avc:  denied  { 
read } for  pid=2223 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 
scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t 
tclass=dir

could it be this one missing?

allow httpd_t home_root_t:dir { read };


Regards
Kris

More information about the fedora-selinux-list mailing list