Bug 146471

Summary: httpd UserDir doesn't work
Product: [Fedora] Fedora Reporter: Chris Lee <clee>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2005-251 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-01-31 14:21:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Lee 2005-01-28 17:21:06 UTC 
Description of problem: I enable UserDir in my httpd.conf. I make sure the file
permissions are properly set on my ~/public_html, which is on an NFS directory
automounted via autofs. httpd cannot serve files from this folder because
SELinux prevents it from seeing them. I get 403 Forbidden errors from Apache
when trying to visit any folder in /~clee/.

Version-Release number of selected component (if applicable): 
selinux-policy-targeted-1.17.30-2.52.1-noarch

How reproducible: Always

Steps to Reproduce:
1. setenforce Enforcing
2. Mount home directory from NFS with automount
3. Enable UserDir in /etc/httpd/conf/httpd.conf
  
Actual results: httpd fails to serve my ~/public_html folder

Expected results: httpd should serve my ~/public_html folder
Comment 1 Chris Lee 2005-01-28 17:23:19 UTC 
Using the audit2allow tool to scan /var/log/messages (got that tip from Jeff
Needle), this line was suggested:

allow httpd_t autofs_t:dir { getattr search };

Not sure where to put that, though.
Comment 2 Daniel Walsh 2005-01-28 19:24:19 UTC 
Fixed in selinux-policy-targeted-1.17.30-2.75
Comment 3 Jon Orris 2005-04-22 19:53:44 UTC 
I've verified this works for NFS dirs, which Chris was trying, but it still
fails for an ordinary user home directory.

Apr 22 15:58:31 localhost kernel: audit(1114199911.371:0): avc:  denied  {
getattr } for  pid=3766 exe=/usr/sbin/httpd path=/home/foo/public_html dev=dm-0
ino=1880509 scontext=root:system_r:httpd_t tcontext=user_u:object_r:user_home_t
tclass=dir

[root@localhost ~]# ls -lRZ /home/foo
/home/foo:
drwxr-xr-x  foo      foo      user_u:object_r:user_home_t      public_html
/home/foo/public_html:
-rw-rw-r--  foo      foo      user_u:object_r:user_home_t      index.html
Comment 4 Daniel Walsh 2005-04-22 19:59:21 UTC 
try a restorecon on it
restorecon -R /home/foo/public_html

Or if that does not work.

chcon -R user_u:object_r:httpd_user_content_t /home/foo/public_html
Comment 5 Jon Orris 2005-04-22 20:02:18 UTC 
Ok, restorecon did the trick.
Comment 6 Tim Powers 2005-06-09 13:06:16 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html