Bug 136167

Summary: selinux stops httpd from following symbolic links?
Product: [Fedora] Fedora Reporter: Thomas J. Baker <tjb>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-18 20:35:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Thomas J. Baker 2004-10-18 14:44:23 UTC 
Description of problem:
I'm having a problem getting selinux to allow httpd to follow a
symlink. The errors are like this:

audit(1098110552.900:0): avc:  denied  { getattr } for  pid=7102
exe=/usr/sbin/httpd path=/mirror/ftp/yum/fedora dev=hdb1 ino=25165826
scontext=root:system_r:httpd_t tcontext=root:object_r:default_t
tclass=lnk_file

The context of the file it's trying to access should be correct:
[root@wintermute web]# ls -lZ /mirror/ftp/yum/fedora
drwxr-xr-x  tjb      users    system_u:object_r:httpd_user_content_t 1
drwxr-xr-x  tjb      users    system_u:object_r:httpd_user_content_t 2
drwxr-xr-x  tjb      users    system_u:object_r:httpd_user_content_t
developmentdrwxr-xr-x  tjb      users   
system_u:object_r:httpd_user_content_t test
drwxr-xr-x  tjb      users    system_u:object_r:httpd_user_content_t
updates
[root@wintermute web]# ls -lZ /mirror/ftp/fedora
drwxr-xr-x  tjb      users    system_u:object_r:httpd_user_content_t 1
drwxr-xr-x  tjb      users    system_u:object_r:httpd_user_content_t 2
drwxr-xr-x  tjb      users    system_u:object_r:httpd_user_content_t
developmentdrwxr-xr-x  tjb      users   
system_u:object_r:httpd_user_content_t test
drwxr-xr-x  tjb      users    system_u:object_r:httpd_user_content_t
updates
[root@wintermute web]# ls -l /mirror/ftp/yum/fedora
lrwxrwxrwx  1 root root 9 Oct 15 09:58 /mirror/ftp/yum/fedora -> ../fedora
[root@wintermute web]#


Version-Release number of selected component (if applicable):

[root@wintermute web]# rpm -qa | grep  selinux
selinux-policy-targeted-sources-1.17.31-1
libselinux-devel-1.17.14-1
selinux-policy-targeted-1.17.31-1
libselinux-1.17.14-1
[root@wintermute web]#


How reproducible:
Happens with any link.

Steps to Reproduce:
1. have symbolic links in a directory structure served by httpd
2. enable selinux
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2004-10-18 20:35:52 UTC 
The problem here is that the link is labeled default_t.
To see the context do 
ls -ldZ /mirror/ftp/yum/fedora


Fix this by doing the following:

 chcon -h -t httpd_sys_content_t /mirror/ftp/yum/fedora