WebDAV
Daniel J Walsh
dwalsh at redhat.com
Thu Sep 8 14:55:40 UTC 2005
Andrew Z wrote:
>
> Daniel J Walsh wrote:
>
>> Andrew Z wrote:
>>
>>>
>>> Is there a SELinux policy for use with WebDAV? I have the WebDAV
>>> working correctly with Apache and Cadaver, but SELinux prevents
>>> writing. I have noticed that there are at least two issues. First,
>>> SELinux prevents Apache from writing to httpd_sys_content_t.
>>> Second, Apache needs to update its locking database. I don't want
>>> to allow write access to all httpd_sys_content_t.
>>> type=AVC msg=audit(1126138296.843:56): avc: denied { write } for
>>> pid=3525 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851
>>> scontext=system_u:system_r:httpd_t
>>> tcontext=system_u:object_r:var_lib_t tclass=file
>>> type=SYSCALL msg=audit(1126138296.843:56): arch=40000003 syscall=5
>>> success=yes exit=11 a0=8675e00 a1=42 a2=1b6 a3=886a6c0 items=1
>>> pid=3525 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>>> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
>>> type=CWD msg=audit(1126138296.843:56): cwd="/"
>>> type=PATH msg=audit(1126138296.843:56): item=0
>>> name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07
>>> mode=040700 ouid=48 ogid=48 rdev=00:00
>>>
>>>
>>> type=AVC msg=audit(1126138520.634:58): avc: denied { write } for
>>> pid=3526 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851
>>> scontext=system_u:system_r:httpd_t
>>> tcontext=system_u:object_r:var_lib_t tclass=file
>>> type=SYSCALL msg=audit(1126138520.634:58): arch=40000003 syscall=5
>>> success=yes exit=11 a0=867dc20 a1=42 a2=1b6 a3=867fbd8 items=1
>>> pid=3526 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>>> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
>>> type=CWD msg=audit(1126138520.634:58): cwd="/"
>>> type=PATH msg=audit(1126138520.634:58): item=0
>>> name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07
>>> mode=040700 ouid=48 ogid=48 rdev=00:00
>>>
>>>
>>>
>> try
>> chcon -R -t httpd_sys_script_rw_t /var/lib/dav
>>
> Daniel,
>
> Thank you, that worked nicely.
> Is there also a type for writable directories that solves the next
> problem? This is creating and writing a file to bar to a directory
> /var/www/html/dav:
>
> type=AVC msg=audit(1126183941.896:260): avc: denied { write } for
> pid=20312 comm="httpd" name="dav" dev=hda7 ino=1011845
> scontext=root:system_r:httpd_t
> tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
> type=AVC msg=audit(1126183941.896:260): avc: denied { add_name }
> for pid=20312 comm="httpd" name="a" scontext=root:system_r:httpd_t
> tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
> type=AVC msg=audit(1126183941.896:260): avc: denied { create } for
> pid=20312 comm="httpd" name="a" scontext=root:system_r:httpd_t
> tcontext=root:object_r:httpd_sys_content_t tclass=file
> type=SYSCALL msg=audit(1126183941.896:260): arch=40000003 syscall=5
> success=yes exit=14 a0=94dca08 a1=241 a2=1b6 a3=94dce58 items=1
> pid=20312 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
> type=CWD msg=audit(1126183941.896:260): cwd="/"
> type=PATH msg=audit(1126183941.896:260): item=0
> name="/var/www/html/dav/foo" flags=310 inode=1011845 dev=03:07
> mode=040775 ouid=500 ogid=48 rdev=00:00
> type=AVC msg=audit(1126183941.896:261): avc: denied { write } for
> pid=20312 comm="httpd" name="a" dev=hda7 ino=1011998
> scontext=root:system_r:httpd_t
> tcontext=root:object_r:httpd_sys_content_t tclass=file
> type=SYSCALL msg=audit(1126183941.896:261): arch=40000003 syscall=4
> success=yes exit=28 a0=e a1=94ddb40 a2=1c a3=94dce58 items=0 pid=20312
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
> type=AVC_PATH msg=audit(1126183941.896:261):
> path="/var/www/html/dav/foo"
>
>
>
> Andrew
I would try the same thing.
chcon -R -t httpd_sys_script_rw_t /var/www/html/dav
--
More information about the fedora-selinux-list
mailing list