[publican-list] [Bug 691301] New: No SELinux context for /var/www/html/docs/index.html file in publican generated web RPMs?

bugzilla at redhat.com bugzilla at redhat.com
Mon Mar 28 06:20:31 UTC 2011 

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.

Summary: No SELinux context for /var/www/html/docs/index.html file in publican generated web RPMs?

https://bugzilla.redhat.com/show_bug.cgi?id=691301

           Summary: No SELinux context for /var/www/html/docs/index.html
                    file in publican generated web RPMs?
           Product: Publican
           Version: 2.5
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: unspecified
          Priority: unspecified
         Component: publican
        AssignedTo: jfearn at redhat.com
        ReportedBy: sgordon at redhat.com
         QAContact: rlandman at redhat.com
                CC: mmcallis at redhat.com, publican-list at redhat.com
    Classification: Other
      Story Points: ---


Description of problem:

When installing publican generated web packages found that resultant
/var/www/html/docs/index.html file does not have a security context that allows
it to be served by a default httpd install.

When providig a deeper path (say to hostname/docs/en-US/index.html) no security
context violation is detected.

Version-Release number of selected component (if applicable):

Publican 2.5.0 to generate package.
Installing
Red_Hat_Enterprise_Virtualization_for_Servers-Administration_Guide-2.2-web-en-US-2-2.el5
pacakge on RHEL 5 host.

How reproducible:


Steps to Reproduce:
1. Install
Red_Hat_Enterprise_Virtualization_for_Servers-Administration_Guide-2.2-web-en-US-2-2.el5
on clean RHEL5 host.
2. Install httpd
3. Allow port 80 past firewall.
4. service httpd start
5. Browse to http://hostname/docs/index.html from remote client.

Actual results:

Access denied. Apache error log contains:

[Mon Mar 28 15:54:10 2011] [error] [client 192.168.122.1] (13)Permission
denied: access to /docs/index.html denied

selinux violation detected (see additional info).

Expected results:

Access to index.html.

Additional info:

Summary:

SELinux is preventing the httpd from using potentially mislabeled files
/var/www/html/docs/index.html (var_t).

Detailed Description:

SELinux has denied the httpd access to potentially mislabeled files
/var/www/html/docs/index.html. This means that SELinux will not allow httpd to
use these files. Many third party apps install html files in directories that
SELinux policy cannot predict. These directories have to be labeled with a file
context which httpd can access.

Allowing Access:

If you want to change the file context of /var/www/html/docs/index.html so that
the httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t '/var/www/html/docs/index.html'. You can look at the
httpd_selinux man page for additional information.

Additional Information:

Source Context                root:system_r:httpd_t
Target Context                root:object_r:var_t
Target Objects                /var/www/html/docs/index.html [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           httpd-2.2.3-45.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-238.5.1.el5 #1
                              SMP Mon Feb 21 05:52:39 EST 2011 x86_64 x86_64
Alert Count                   10
First Seen                    Mon 28 Mar 2011 03:54:10 PM EST
Last Seen                     Mon 28 Mar 2011 04:18:29 PM EST
Local ID                      6ee29ef5-2ed3-47d3-915b-34e5fff91b7f
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1301293109.781:50): avc:  denied 
{ getattr } for  pid=15160 comm="httpd" path="/var/www/html/docs/index.html"
dev=dm-0 ino=590744 scontext=root:system_r:httpd_t:s0
tcontext=root:object_r:var_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1301293109.781:50):
arch=c000003e syscall=6 success=no exit=-13 a0=2ac1cab678c0 a1=7fff042deb70
a2=7fff042deb70 a3=0 items=0 ppid=15144 pid=15160 auid=0 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd"
exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the publican-list mailing list