Bug 1491994
Summary: | httpd is prevented from reading user directories | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Pierre Ossman <ossman> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.4 | CC: | astrand, fabian.arrotin, lvrabec, mgrepl, mmalik, ossman, pasik, pasteur, plautrba, ssekidde |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-175.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-10 12:43:43 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pierre Ossman
2017-09-15 08:50:42 UTC
Could you run following commands and attach their output? # rpm -qa selinux-policy\* # getsebool -a | grep http # rpm -qa selinux-policy\* selinux-policy-targeted-3.13.1-166.el7_4.4.noarch selinux-policy-3.13.1-166.el7_4.4.noarch # getsebool -a | grep http httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> on httpd_run_ipa --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off named_tcp_bind_http_port --> off prosody_bind_http_port --> off If you enable the httpd_unified boolean, your scenario should work: # sesearch -s httpd_t -t httpd_user_content_t -c dir -A -C -p read Found 7 semantic av rules: DT allow httpd_t httpdcontent : dir { ioctl read write getattr lock add_name remove_name search open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ] DT allow httpd_t httpdcontent : dir { ioctl read write getattr lock add_name remove_name search open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ] DT allow httpd_t httpdcontent : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ] DT allow httpd_t httpdcontent : dir { ioctl read write getattr lock add_name remove_name search open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ] DT allow httpd_t httpdcontent : dir { ioctl read write getattr lock add_name remove_name search open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ] DT allow httpd_t httpdcontent : dir { ioctl read write getattr lock add_name remove_name search open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ] DT allow httpd_t httpdcontent : dir { ioctl read write getattr lock add_name remove_name search open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ] # I must admit that description of the boolean is not as explanatory as it could be. # semanage boolean -l | grep unified httpd_unified (off , off) Unify HTTPD handling of all content files. # From what I read of that boolean it seems like a way too big of a hammer for this. It seems to turn off a lot of protection for httpd? Why isn't read of httpd_user_content_t dirs allowed when read of files with the same type is just fine? Lukas, can you answer the question please? Seeing this on CentOS 7.4 as well. Using the httpd_unified boolean works around this issue for me. In my case it was php-fpm not being able to read httpd_user_content_t directories. Correction, httpd_unified does not fix php-fpm, it was a cache fluke. Was the needinfo cleared by mistake there? :) I have used this custom module to work around the issue in my environment which allows what Pierre described earlier. It does fix the issues I had with php-fpm. -- snip -- module httpd_user_read_dir 1.0; require { type httpd_user_content_t; type httpd_t; class dir read; } #============= httpd_t ============== allow httpd_t httpd_user_content_t:dir read; -- snap -- Hi, Actually this is not a bug, it's a feature! :) We have two similar booleans: httpd_read_user_content httpd_enable_homedirs You're trying to use httpd_read_user_content, this boolean contains following rules: # sesearch -A -s httpd_t | grep httpd_read_user_content allow httpd_t home_root_t:dir { getattr open search }; [ httpd_read_user_content ]:True allow httpd_t home_root_t:lnk_file { getattr read }; [ httpd_read_user_content ]:True allow httpd_t user_home_dir_t:dir { getattr ioctl lock open read search }; [ httpd_read_user_content ]:True allow httpd_t user_home_dir_t:dir { getattr open search }; [ httpd_read_user_content ]:True allow httpd_t user_home_dir_t:dir { getattr open search }; [ httpd_read_user_content ]:True allow httpd_t user_home_dir_t:lnk_file { getattr read }; [ httpd_read_user_content ]:True allow httpd_t user_home_type:dir { getattr ioctl lock open read search }; [ httpd_read_user_content ]:True allow httpd_t user_home_type:dir { getattr open search }; [ httpd_read_user_content ]:True allow httpd_t user_home_type:dir { getattr open search }; [ httpd_read_user_content ]:True allow httpd_t user_home_type:file { getattr ioctl lock open read }; [ httpd_read_user_content ]:True Attribute user_home_type contains following types: # seinfo -xauser_home_type Type Attributes: 1 attribute user_home_type; alsa_home_t antivirus_home_t audio_home_t auth_home_t cache_home_t chrome_sandbox_home_t config_home_t container_home_t cvs_home_t data_home_t dbus_home_t fetchmail_home_t gconf_home_t git_user_content_t gkeyringd_gnome_home_t gnome_home_t gpg_secret_t gstreamer_home_t home_bin_t home_cert_t icc_data_home_t iceauth_home_t irc_home_t irc_tmp_t irssi_home_t kismet_home_t krb5_home_t local_login_home_t mail_home_rw_t mail_home_t mandb_home_t mozilla_home_t mpd_home_t mpd_user_data_t mplayer_home_t mysqld_home_t openshift_var_lib_t polipo_cache_home_t polipo_config_home_t procmail_home_t pulseaudio_home_t rlogind_home_t rssh_ro_t rssh_rw_t sandbox_file_t screen_home_t spamc_home_t speech-dispatcher_home_t ssh_home_t svirt_home_t systemd_home_t telepathy_cache_home_t telepathy_data_home_t telepathy_gabble_cache_home_t telepathy_logger_cache_home_t telepathy_logger_data_home_t telepathy_mission_control_cache_home_t telepathy_mission_control_data_home_t telepathy_mission_control_home_t telepathy_sunshine_home_t texlive_home_t thumb_home_t tvtime_home_t uml_ro_t uml_rw_t user_fonts_cache_t user_fonts_config_t user_fonts_t user_home_t user_tmp_t virt_content_t virt_home_t vmware_conf_t vmware_file_t wine_home_t wireshark_home_t xauth_home_t xdm_home_t as you can see there is no httpd_user_content_t which is good. Boolean httpd_enable_homedirs is for your case, when you would like to have webpages in your home dir. Boolean httpd_read_user_content you can read (almost) all files in user homedir which is something different. Following command should fix your issue: # semanage boolean -m httpd_enable_homedirs --on Lukas. Please let us know if comment#11 helps. Thanks, Lukas. I'm afraid it does not. httpd_enable_homedirs is already "on", but that is insufficient (as mentioned in the original comment creating this bug). The issue is not about httpd_user_content_t in general. This is about *directories* with that type. They are for some reason locked down now, but not files. And neither are httpd_user_rw_content_t directories. And it's a regression. So all in all this reeks of a a bug where someone accidentally removed a "allow httpd_t httpd_user_content_t:dir read" line somewhere. :) You are right, sorry I see it know. Fixed in Fedora Rawhide, F27, F26 and it will be part of next minor release of RHEL. I don't mean to be rude but this is rather critical for anyone using SELinux with httpd and user directories and if it was a honest mistake and a regression, couldn't this be pushed before a minor release? As 7.4 was released just a few months ago it will take very long for this to land in production and I suspect this will encourage more people to disable SELinux as you can't work around it without a custom module for now. Thanks. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763 |