Bug 127900

Summary: selinux-policy-targeted breaks file access for httpd
Product: [Fedora] Fedora Reporter: Nathan G. Grennan <redhat-bugzilla>
Component: selinux-policy-targetedAssignee: Russell Coker <rcoker>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, pgraner
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-05 23:22:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 123268, 133652    

Description Nathan G. Grennan 2004-07-15 03:31:27 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040617 Galeon/1.3.16

Description of problem:
SELinux policy breaks file access for httpd. I can't retrieve
/var/www/html/vm/vm.exe aka http://hostname/vm/vm.exe. I also can't
see the file in the index listing for http://hostname/vm/

/etc/sysconfig/selinux:
SELINUX=enforcing
SELINUXTYPE=targeted

dmesg output:
audit(1089861367.288:0): avc:  denied  { getattr } for  pid=1847
exe=/usr/sbin/httpd path=/var/www/html/vm/vm.exe dev=md1 ino=611056
scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:user_home_t
tclass=file

Version-Release number of selected component (if applicable):
policy-1.11.3-3.1

How reproducible:
Always

Steps to Reproduce:
1. mv file /var/www/html
2. Start httpd
3. Open a browser on another computer and try to retrieve the file

    

Actual Results:  Forbidden

Expected Results:  Download dialog

Additional info:
Comment 1 Nathan G. Grennan 2004-07-15 03:37:59 UTC 
selinux-policy-targeted-1.15.3-1

The previous version had the same problem, and a tested workaround was
to disable selinux.
Comment 2 Daniel Walsh 2004-08-11 20:46:09 UTC 
In order to get homedirectory access working with Targeted policy you
need to mark the files with httpd_user_content_t

chcon -t httpd_user_content_t /home/user/XYZ
Comment 3 Ben Levenson 2004-10-05 23:22:44 UTC 
You need to change the context of the file after you relocate it
from your home directory to /var/www/html.
"restorecon /var/www/html/vm/vm.exe" should do the trick.

Closing as NOTABUG.