Bug 1470680
Summary: | "Missing type enforcement (TE) allow rule." related to httpd service | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marek Grapiniak <marek.grapiniak> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED NOTABUG | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7.1 | CC: | lvrabec, marek.grapiniak, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-07-31 14:19:37 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marek Grapiniak
2017-07-13 12:54:41 UTC
Could you please answer following questions? * Where is the content symlink located? * Where does the content symlink point to? The default_t label is wrong. (In reply to Milos Malik from comment #2) > Could you please answer following questions? > * Where is the content symlink located? > * Where does the content symlink point to? > > The default_t label is wrong. Hi, Milos content symlink is located in a root directory lrwxrwxrwx. 1 root root 5 Sep 22 2015 content -> /apps -> drwxr-xr-x. 7 root root 4096 Aug 31 2016 apps Nothing has changed really and issue started to occur after installing OS updates around 12th of June 2017th. Regards, Marek (In reply to Milos Malik from comment #2) > Could you please answer following questions? > * Where is the content symlink located? > * Where does the content symlink point to? > > The default_t label is wrong. What should be the correct label ? BR, Marek Marek, Correct label is: httpd_sys_content_t you can setup right label using command semanage. THanks, Lukas. (In reply to Lukas Vrabec from comment #5) > Marek, > > Correct label is: httpd_sys_content_t > > you can setup right label using command semanage. > > THanks, > Lukas. Hi Lukas, Here is the output of semanage fcontext -l on my /apps directory [root@invgb3vldisptch01 ~]# semanage fcontext -l |grep "/apps/" /apps/cache(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /apps/logs(/.*)? all files system_u:object_r:httpd_log_t:s0 Also I have a symlink /content created to /apps and within Apache config there are references to /content and thus the error message show up. I would say the same fcontext rules should be applied for /content/cache* and /content/logs* via semanage. Please advise if that is a valid approach. What is the output of following command? # matchpathcon /content /apps They do match: /content system_u:object_r:default_t:s0 /apps system_u:object_r:default_t:s0 "I would say the same fcontext rules should be applied for /content/cache* and /content/logs* via semanage." I have just checked and it looks like fcontext match for above locations but not sure if that was a result of the workaround I mentioned before or not. Se below: "Additional info: To mitigate the issue: - Ran: ausearch -c 'httpd' --raw | audit2allow -M my-httpd - followed by: semodule -i my-httpd.pp" We will need to setup also labeling for the top level /apps directory. Marek, could you please run # semanage fcontext -a -t "var_t" "/content(/.*)?" # semanage fcontext -a -t "var_t" "/apps(/.*)?" # restorecon -R -v /apps /content to see if it works. I will give it a go and report shortly. Thx. (In reply to Marek Grapiniak from comment #11) > I will give it a go and report shortly. > > Thx. Ok. Please reopen the bug if it does not work. Thank you Marek. |