[publican-list] [Bug 691301] New: No SELinux context for /var/www/html/docs/index.html file in publican generated web RPMs?
bugzilla at redhat.com
bugzilla at redhat.com
Mon Mar 28 06:20:31 UTC 2011
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
Summary: No SELinux context for /var/www/html/docs/index.html file in publican generated web RPMs?
https://bugzilla.redhat.com/show_bug.cgi?id=691301
Summary: No SELinux context for /var/www/html/docs/index.html
file in publican generated web RPMs?
Product: Publican
Version: 2.5
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: unspecified
Priority: unspecified
Component: publican
AssignedTo: jfearn at redhat.com
ReportedBy: sgordon at redhat.com
QAContact: rlandman at redhat.com
CC: mmcallis at redhat.com, publican-list at redhat.com
Classification: Other
Story Points: ---
Description of problem:
When installing publican generated web packages found that resultant
/var/www/html/docs/index.html file does not have a security context that allows
it to be served by a default httpd install.
When providig a deeper path (say to hostname/docs/en-US/index.html) no security
context violation is detected.
Version-Release number of selected component (if applicable):
Publican 2.5.0 to generate package.
Installing
Red_Hat_Enterprise_Virtualization_for_Servers-Administration_Guide-2.2-web-en-US-2-2.el5
pacakge on RHEL 5 host.
How reproducible:
Steps to Reproduce:
1. Install
Red_Hat_Enterprise_Virtualization_for_Servers-Administration_Guide-2.2-web-en-US-2-2.el5
on clean RHEL5 host.
2. Install httpd
3. Allow port 80 past firewall.
4. service httpd start
5. Browse to http://hostname/docs/index.html from remote client.
Actual results:
Access denied. Apache error log contains:
[Mon Mar 28 15:54:10 2011] [error] [client 192.168.122.1] (13)Permission
denied: access to /docs/index.html denied
selinux violation detected (see additional info).
Expected results:
Access to index.html.
Additional info:
Summary:
SELinux is preventing the httpd from using potentially mislabeled files
/var/www/html/docs/index.html (var_t).
Detailed Description:
SELinux has denied the httpd access to potentially mislabeled files
/var/www/html/docs/index.html. This means that SELinux will not allow httpd to
use these files. Many third party apps install html files in directories that
SELinux policy cannot predict. These directories have to be labeled with a file
context which httpd can access.
Allowing Access:
If you want to change the file context of /var/www/html/docs/index.html so that
the httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t '/var/www/html/docs/index.html'. You can look at the
httpd_selinux man page for additional information.
Additional Information:
Source Context root:system_r:httpd_t
Target Context root:object_r:var_t
Target Objects /var/www/html/docs/index.html [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.2.3-45.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-300.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_bad_labels
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-238.5.1.el5 #1
SMP Mon Feb 21 05:52:39 EST 2011 x86_64 x86_64
Alert Count 10
First Seen Mon 28 Mar 2011 03:54:10 PM EST
Last Seen Mon 28 Mar 2011 04:18:29 PM EST
Local ID 6ee29ef5-2ed3-47d3-915b-34e5fff91b7f
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1301293109.781:50): avc: denied
{ getattr } for pid=15160 comm="httpd" path="/var/www/html/docs/index.html"
dev=dm-0 ino=590744 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:var_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1301293109.781:50):
arch=c000003e syscall=6 success=no exit=-13 a0=2ac1cab678c0 a1=7fff042deb70
a2=7fff042deb70 a3=0 items=0 ppid=15144 pid=15160 auid=0 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd"
exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the publican-list
mailing list