Bug 613471

Summary: SELinux is preventing the http daemon from reading users' home directories.
Product: [Fedora] Fedora Reporter: Andrew <nuglobe>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: abhilash6399, dwalsh, jp.grossglauser, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:eb600e2f124979266d03181333e74355d24a10daa48c4e3a5edfc42493288989
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-12 07:53:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew 2010-07-11 22:09:15 UTC
Summary:

SELinux is preventing the http daemon from reading users' home directories.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux has denied the http daemon access to users' home directories. Someone is
attempting to access your home directories via your http daemon. If you have not
setup httpd to share home directories, this probably signals an intrusion
attempt.

Allowing Access:

If you want the http daemon to share home directories you need to turn on the
httpd_enable_homedirs boolean: "setsebool -P httpd_enable_homedirs=1" You may
need to also label the content that you wish to share. The man page
httpd_selinux will have further information. 'man httpd_selinux'.

Fix Command:

setsebool -P httpd_enable_homedirs=1

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                /home/andrew [ dir ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-33.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   httpd_enable_homedirs
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33.6-147.fc13.x86_64 #1 SMP
                              Tue Jul 6 22:32:17 UTC 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Sun 11 Jul 2010 06:08:44 PM EDT
Last Seen                     Sun 11 Jul 2010 06:08:44 PM EDT
Local ID                      0a43bcf4-2041-443b-8d2f-62d0b1fe84b9
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1278886124.174:29621): avc:  denied  { getattr } for  pid=3582 comm="sh" path="/home/andrew" dev=dm-2 ino=2621441 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1278886124.174:29621): arch=c000003e syscall=4 success=yes exit=0 a0=1360af0 a1=7fffd4376fd0 a2=7fffd4376fd0 a3=3bb7928ad0 items=0 ppid=3132 pid=3582 auid=500 uid=48 gid=484 euid=48 suid=48 fsuid=48 egid=484 sgid=484 fsgid=484 tty=(none) ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:httpd_t:s0 key=(null)



Hash String generated from  httpd_enable_homedirs,sh,httpd_t,user_home_dir_t,dir,getattr
audit2allow suggests:

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     httpd_read_user_content, httpd_enable_homedirs

allow httpd_t user_home_dir_t:dir getattr;

Comment 1 Miroslav Grepl 2010-07-12 07:53:13 UTC
sealert above tells you what to do

Fix Command:

setsebool -P httpd_enable_homedirs=1

Comment 2 Andrew 2010-07-13 00:00:14 UTC
Eh, sorry about that. I've had like 10 alarms go off every time I login related to the tmp folder leak issue. I didn't catch that this one was different.