Bug 353781

Summary: SELinux prevented httpd reading and writing access to http files when twiki pages are browsed.
Product: Red Hat Enterprise Linux 5 Reporter: manoj <manmah4u>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: low    
Version: 5.0CC: ebenes, gowrishankar.rajaiyan
Target Milestone: ---Keywords: OtherQA, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:05:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
attaching screenshot of twiki page. none

Description manoj 2007-10-26 09:10:21 UTC 
Description of problem:

I have configured twiki application(used on apache) on my RHEL5 box. I have
selinux policy enabled in enforcing mode(selinux-policy-2.4.6-30.el5).

when I click on Registration link of the twiki page I get below setroubleshoot
alert. I tried  "setsebool -P httpd_unified=1" as indicated in the alert to stop
this alert but I couldn't prevent this.However please note that I'm able to
browse the twiki pages though(there is no issue in the functionality).

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
    SELinux prevented httpd reading and writing access to http files. Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off,  This requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these context.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers toi one of "sys", "user" or "staff" or potentially other script
    types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1

Additional Information        

Source Context                root:system_r:httpd_sys_script_t
Target Context                root:object_r:httpd_tmp_t
Target Objects                /dev/null [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     rhel5.shankar.com
Platform                      Linux rhel5.shankar.com 2.6.18-8.el5 #1 SMP Fri
                              Jan 26 14:15:21 EST 2007 i686 i686
Alert Count                   1
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="view" dev=hda1 egid=48 euid=48
exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name=".NSPR-
AFM-8391-8a9a9b8.0" path="/dev/null" pid=8503
scontext=root:system_r:httpd_sys_script_t:s0 sgid=48
subj=root:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
Comment 1 manoj 2007-10-26 09:16:04 UTC 
Created attachment 238681 [details]
attaching screenshot of twiki page.

Note the Registration word on this screenshot. Once I Click on that I get the
alerts.
Comment 2 manoj 2007-10-31 03:13:32 UTC 
Any updates??
Comment 3 Daniel Walsh 2007-10-31 11:53:20 UTC 
You can add this rule for now executing

grep httpd_sys /var/log/audit/audit.log | audit2allow -M myapache
semodule -i myapache.pp

I will allow this priv in Update2.

selinux-policy-2.4.6-107.el5.src.rpm
Comment 4 manoj 2007-11-30 03:45:54 UTC 
I don't see this alert when I test it on RHEL5.1(selinux-policy-2.4.6-104)
Comment 5 Jay Turner 2007-11-30 07:34:56 UTC 
QE ack for RHEL5.2.  Reproducer in comment 0.
Comment 8 Eduard Benes 2008-04-02 08:19:53 UTC 
Manoj, could you please try the latest policy and reply whether it solves your 
problem? 
Thank you.

Latest packages are available here:
  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 9 manoj 2008-04-02 08:51:02 UTC 
AS I stated in comment5 earlier i couldn't reproduce this bug on RHEL5.1 with
default SELinux policy-2.4.6-104.This can be closed :)
Comment 12 errata-xmlrpc 2008-05-21 16:05:57 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html