Bug 691301

Summary: No SELinux context for /var/www/html/docs/index.html file in publican generated web RPMs?
Product: [Community] Publican Reporter: Stephen Gordon <sgordon>
Component: publicanAssignee: Jeff Fearn <jfearn>
Status: CLOSED WORKSFORME QA Contact: Ruediger Landmann <rlandman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.5CC: mmcallis, publican-list
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-22 12:10:40 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Stephen Gordon 2011-03-28 02:20:30 EDT
Description of problem:

When installing publican generated web packages found that resultant /var/www/html/docs/index.html file does not have a security context that allows it to be served by a default httpd install.

When providig a deeper path (say to hostname/docs/en-US/index.html) no security context violation is detected.

Version-Release number of selected component (if applicable):

Publican 2.5.0 to generate package.
Installing Red_Hat_Enterprise_Virtualization_for_Servers-Administration_Guide-2.2-web-en-US-2-2.el5 pacakge on RHEL 5 host.

How reproducible:


Steps to Reproduce:
1. Install Red_Hat_Enterprise_Virtualization_for_Servers-Administration_Guide-2.2-web-en-US-2-2.el5 on clean RHEL5 host.
2. Install httpd
3. Allow port 80 past firewall.
4. service httpd start
5. Browse to http://hostname/docs/index.html from remote client.

Actual results:

Access denied. Apache error log contains:

[Mon Mar 28 15:54:10 2011] [error] [client 192.168.122.1] (13)Permission denied: access to /docs/index.html denied

selinux violation detected (see additional info).

Expected results:

Access to index.html.

Additional info:

Summary:

SELinux is preventing the httpd from using potentially mislabeled files
/var/www/html/docs/index.html (var_t).

Detailed Description:

SELinux has denied the httpd access to potentially mislabeled files
/var/www/html/docs/index.html. This means that SELinux will not allow httpd to
use these files. Many third party apps install html files in directories that
SELinux policy cannot predict. These directories have to be labeled with a file
context which httpd can access.

Allowing Access:

If you want to change the file context of /var/www/html/docs/index.html so that
the httpd daemon can access it, you need to execute it using chcon -t
httpd_sys_content_t '/var/www/html/docs/index.html'. You can look at the
httpd_selinux man page for additional information.

Additional Information:

Source Context                root:system_r:httpd_t
Target Context                root:object_r:var_t
Target Objects                /var/www/html/docs/index.html [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           httpd-2.2.3-45.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-300.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_bad_labels
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-238.5.1.el5 #1
                              SMP Mon Feb 21 05:52:39 EST 2011 x86_64 x86_64
Alert Count                   10
First Seen                    Mon 28 Mar 2011 03:54:10 PM EST
Last Seen                     Mon 28 Mar 2011 04:18:29 PM EST
Local ID                      6ee29ef5-2ed3-47d3-915b-34e5fff91b7f
Line Numbers                  

Raw Audit Messages            

host=localhost.localdomain type=AVC msg=audit(1301293109.781:50): avc:  denied  { getattr } for  pid=15160 comm="httpd" path="/var/www/html/docs/index.html" dev=dm-0 ino=590744 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1301293109.781:50): arch=c000003e syscall=6 success=no exit=-13 a0=2ac1cab678c0 a1=7fff042deb70 a2=7fff042deb70 a3=0 items=0 ppid=15144 pid=15160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
Comment 1 Jeff Fearn 2011-10-11 18:35:19 EDT
This may have been fixed by the change in the way the sites are created. I don't get an unlabelled file when I install a site.

$ ls -Z /var/www/html/docs/index.html 
ls: cannot access /var/www/html/docs/index.html: No such file or directory

$ sudo publican update_site

$ ls -Z /var/www/html/docs/index.html 
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/docs/index.html

Rudi, can you confirm this?
Comment 2 Stephen Gordon 2011-10-11 18:52:00 EDT
Potentially, I haven't looked at it in a while as we did not end up deploying a 'full' publican site for our context sensitive help effort. I will have a go with a newer package and see if it wfm.