Bug 141963

Summary: SSI includes not working with targeted policy enabled
Product: [Fedora] Fedora Reporter: Mace Moneta <moneta.mace>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-06 18:46:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mace Moneta 2004-12-06 14:32:57 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
With the selinux targeted policy enabled, SSI includes on the web
server of the following form are not working:

<!--#include virtual="/weblog/Header1.html" -->

(where weblog is a symlink to a directory in /home).

The error received by /var/log/httpd/error_log is:

[Mon Dec 06 09:20:53 2004] [error] [client 135.82.8.134]
(13)Permission denied: access to /weblog/Header1.html denied

[Mon Dec 06 09:20:53 2004] [error] [client 135.82.8.134] unable to
include "/weblog/Header1.html" in parsed file /var/www/html/index.html

Disabling the targeted policy permits the web server to operate normally.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.39

How reproducible:
Always

Steps to Reproduce:
1.Use SSI include as documented above
2.Enable targeted policy
3.Observe failure
    

Actual Results:  [Mon Dec 06 09:20:53 2004] [error] [client
135.82.8.134] (13)Permission denied: access to /weblog/Header1.html denied

[Mon Dec 06 09:20:53 2004] [error] [client 135.82.8.134] unable to
include "/weblog/Header1.html" in parsed file /var/www/html/index.html


Expected Results:  SSI included files served.

Additional info: Policy enabled/disabled using system-config-securitylevel
Comment 1 Mace Moneta 2004-12-06 14:55:13 UTC 
Clarification: While the system-config-securitylevel application
identifies the change as "Enable" for the policy, it is switching
between enforcing and permissive.  

Also, in permissive mode, the following messages are shown in
/var/log/messages:

Dec  6 09:48:18 buggsb kernel: audit(1102344498.928:0): avc:  denied 
{ getattr } for  pid=14298 exe=/usr/sbin/httpd
path=/home/weblog/Header1.html dev=dm-0 ino=6225995
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file

Dec  6 09:48:18 buggsb kernel: audit(1102344498.928:0): avc:  denied 
{ getattr } for  pid=14298 exe=/usr/sbin/httpd
path=/home/weblog/Header1.html dev=dm-0 ino=6225995
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file
Comment 2 Colin Walters 2004-12-06 17:49:13 UTC 
The problem you're running into is that you're trying to store web
content in a home directory.  Notice the type of the file is
user_home_t, which httpd_t is not allowed to read.  For more
information, see:

http://fedora.redhat.com/docs/selinux-apache-fc3/

Your options are:
1) Label the files as httpd_sys_content_t, which should work
2) Disable SELinux enforcement for Apache if you can't get it to work
(see the guide for how to do that)
Comment 3 Mace Moneta 2004-12-06 18:46:08 UTC 
Ah, that's what I was missing.  Setting "Allow HTTPD to read home
directories" in system-config-securitylevel didn't change the
file/directory contexts.  I had assumed it would.  Closing.