Bug 238277
| Summary: | selinux prevents httpd to read user home directories | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Stefan Becker <chemobejk> |
| Component: | anaconda | Assignee: | Anaconda Maintenance Team <anaconda-maint-list> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-05-02 21:36:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
getattr rights are required too:
module local 1.0;
require {
type httpd_t;
type default_t;
class dir { search getattr };
}
#============= httpd_t ==============
allow httpd_t default_t:dir { search getattr };
Your home directories are mislabeled. They should be labeled something like user_home_dir_t and user_home_t. Try restorecon -R -v ~user Are these homedirectories in a different location? Home directory: drwx--x--x user_u:object_r:user_home_dir_t stefanb stefanb . drwxr-xr-x system_u:object_r:default_t root root .. /home/stefanb/public_html is a mounted LVM partition: drwxrwxrwx user_u:object_r:httpd_sys_content_t stefanb stefanb public_html top-level inside public_html: drwxrwxrwx user_u:object_r:httpd_sys_content_t stefanb stefanb . drwx--x--x user_u:object_r:user_home_dir_t stefanb stefanb .. -rw-rw-r-- user_u:object_r:httpd_sys_content_t stefanb stefanb index.html I reran restorecon: $ /sbin/restorecon -v $HOME $ /sbin/restorecon -v $HOME/public_html $ /sbin/restorecon -v $HOME/public_html/* $ As you can see there were no changes. The same setup worked OK in FC6. Maybe httpd is not allowed to access the mounted partition? How can I grant access? restorecon -v /home Yep, that seems to have corrected it: # restorecon -v /home restorecon reset /home context system_u:object_r:default_t:s0->system_u:object_r:home_root_t:s0 /home is also a mounted LVM partition which I of course did not format during F7test4 installation. Does this mean the security context of /home changed from FC6 to F7? Maybe the installer should always run restorecon on unchanged, but mounted partitions? No they are the same. Did you rm -rf /home after the install and then mkdir /home and mount on top of it? That is the only way I can think of /home getting the wrong context on it, unless there is a bug in the installer. Nope, just set the mount point for the partition in the installer to /home and disabled formating option. Well maybe it'll always be a mystery :-) Ok in that case this looks like a potential Anaconda problem. The problem is that genhomedircon grew a dep on libselinux-python and anaconda doesn't include that in its minimal image. Added in CVS. |
Description of problem: Just updated to F7test4 and httpd no longer can read user home directories. The boolean for that option is on by default in system-config-selinux. Version-Release number of selected component (if applicable): selinux-policy-2.6.1-1.fc7 selinux-policy-targeted-2.6.1-1.fc7 httpd-2.2.4-3 How reproducible: alwayws Additional info: /var/log/message when accessing /~user: Apr 28 20:48:54 baraddur kernel: audit(1177782534.506:69): avc: denied { search } for pid=5365 comm="httpd" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir Apr 28 20:48:54 baraddur kernel: audit(1177782534.506:70): avc: denied { search } for pid=5365 comm="httpd" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir Apr 28 20:49:29 baraddur kernel: audit(1177782569.005:71): avc: denied { search } for pid=5560 comm="httpd" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir Apr 28 20:49:29 baraddur kernel: audit(1177782569.005:72): avc: denied { search } for pid=5560 comm="httpd" name="/" dev=dm-1 ino=2 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir local.te generated with audit2allow: module local 1.0; require { type httpd_t; type default_t; class dir search; } #============= httpd_t ============== allow httpd_t default_t:dir search; When I load local.pp everything works fine again...