Bug 163493
| Summary: | SELinux prohibit HTTPD to list cifs mounts | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dimitar Pashev <mitko> |
| Component: | kernel | Assignee: | James Morris <jmorris> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | CC: | jmorris, sdsmall |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-05-05 14:56:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This looks like it might be a kernel/policy mismatch problem? Any update on this? Are you still seeing this problem? audit(1126342432.212:4533451): avc: denied { 0x100000 } for name=writer
dev=cifs ino=3714545 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
audit(1126342432.212:4533451): syscall=195 arch=40000003 success=no exit=-13
a0=8853130 a1=ae954e8c a2=4bbe6ff4 a3=ae954e8c items=1 pid=6892 loginuid=-1
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm=httpd
exe=/usr/sbin/httpd
audit(1126342432.212:4533451): item=0
name="/var/www/html/remote/docs/writer/index.htm" inode=3714545 dev=00:11
mode=040777 uid=0 gid=0 rdev=00:00
tclass=file is wrong here, as the object is a directory. That is why the permission value (0x100000 == DIR__SEARCH) is not being interpreted correctly. Since the tcontext is correct, selinux_d_instantiate->inode_doinit must have completed. It would have set the class from the inode mode information at the time of the d_instantiate/d_splice_alias (i.e. when it was first looked up or created). This suggests that cifs is calling d_instantiate without first setting the inode mode. Looking at the cifs code, it appears that cifs_filldir (called upon a readdir on a cifs directory) constructs a dentry for each entry in the directory (thereby calling d_instantiate) without first setting up the inode state. It then fills in the inode state prior to calling filldir. I'd classify this as a bug in cifs, not SELinux. It should set the inode mode prior to calling d_instantiate so that the inode is not accessible with uninitialized state. This is a mass-update to all currently open Fedora Core 3 kernel bugs. Fedora Core 3 support has transitioned to the Fedora Legacy project. Due to the limited resources of this project, typically only updates for new security issues are released. As this bug isn't security related, it has been migrated to a Fedora Core 4 bug. Please upgrade to this newer release, and test if this bug is still present there. This bug has been placed in NEEDINFO_REPORTER state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. Thank you. This is a mass-update to all currently open kernel bugs. A new kernel update has been released (Version: 2.6.15-1.1830_FC4) based upon a new upstream kernel release. Please retest against this new kernel, as a large number of patches go into each upstream release, possibly including changes that may address this problem. This bug has been placed in NEEDINFO_REPORTER state. Due to the large volume of inactive bugs in bugzilla, if this bug is still in this state in two weeks time, it will be closed. Should this bug still be relevant after this period, the reporter can reopen the bug at any time. Any other users on the Cc: list of this bug can request that the bug be reopened by adding a comment to the bug. If this bug is a problem preventing you from installing the release this version is filed against, please see bug 169613. Thank you. Closing per previous comment. Patch available for mainline and tests out ok - sending off to Linus for 2.6.18 (in case it is not too late) |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511 Description of problem: HTTPD daemon unable to list cifs mounted directories. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. mkdir -p /var/www/html/remote 2. mount /windows-server/share /var/www/html/remote -t cifs -o fscontext=system_u:object_r:httpd_sys_content_t 3. httpd.conf <Directory /var/www/html/remote> Options +Indexes Allow from all </Directory> Actual Results: audit(1121686107.475:0): avc: denied { 0x100000 } for name=docs dev=cifs ino=236013 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file Additional info: