Bug 2179628

Summary: httpd's mod_dav has no standard directory for storing files marked httpd_sys_rw_content_t
Product: Red Hat Enterprise Linux 9 Reporter: Graham Leggett <minfrin>
Component: selinux-policyAssignee: Nikola Knazekova <nknazeko>
Status: CLOSED WONTFIX QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 9.2CC: lvrabec, mmalik, zpytela
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-04 14:35:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Graham Leggett 2023-03-19 10:04:19 UTC 
Description of problem:

When attempting to configure mod_dav under httpd, there is no default directory configured that allows write access (selinux httpd_sys_rw_content_t context).

Version-Release number of selected component (if applicable):

selinux-policy-34.1.43-1.el9_1.2.noarch

How reproducible:

Always.

Steps to Reproduce:
1. semanage fcontext -l | grep httpd_sys_rw_content_t
2.
3.

Actual results:

Sensible default locations for svn:

/var/www/svn(/.*)?                                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 

Nothing for dav.

Expected results:

Sensible default location for dav, for example:

/var/www/dav(/.*)?                                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 

Additional info:
Comment 1 Milos Malik 2023-03-24 09:47:31 UTC 
# rpm -qa mod\*
mod_dav_svn-1.14.1-5.el9_0.x86_64
# rpm -ql mod_dav_svn | grep example
/usr/share/doc/mod_dav_svn/example.conf
# grep /var/www /usr/share/doc/mod_dav_svn/example.conf
# containing Subversion repositories, "/var/www/svn".  Each repository
#   # cd /var/www/svn
#   SVNParentPath /var/www/svn

Here is a way how to set up a SELinux equivalency between /var/www/svn and /var/www/dav locations:

# matchpathcon /var/www/svn
/var/www/svn	system_u:object_r:httpd_sys_rw_content_t:s0
# matchpathcon /var/www/dav
/var/www/dav	system_u:object_r:httpd_sys_content_t:s0
# semanage fcontext -l | grep /var/www/dav
# semanage fcontext -l | grep /var/www/svn
/var/www/svn(/.*)?                                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/svn/conf(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0 
/var/www/svn/hooks(/.*)?                           all files          system_u:object_r:httpd_sys_script_exec_t:s0 
# semanage fcontext -a -e /var/www/svn /var/www/dav
# semanage fcontext -l | grep /var/www/dav
/var/www/dav = /var/www/svn
# matchpathcon /var/www/svn
/var/www/svn	system_u:object_r:httpd_sys_rw_content_t:s0
# matchpathcon /var/www/dav
/var/www/dav	system_u:object_r:httpd_sys_rw_content_t:s0
#

Let us know if this approach helped to solve your issue.

Thank you.
Comment 2 Graham Leggett 2023-04-03 09:43:14 UTC 
(In reply to Milos Malik from comment #1)
> Let us know if this approach helped to solve your issue.

The issue is that this should work out the box, without me doing anything weird or non-standard.
Comment 4 Nikola Knazekova 2023-08-04 14:35:00 UTC 
Hi, 
this bug will be closed as wontfix, because the path /var/www/dav is not defined in the official apache documentation.