Bug 723258
| Summary: | SELinux "targeted" policy blocks web access to files in directories named "logs" | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Robert Vogelgesang <vogel> | |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 6.1 | CC: | dwalsh, mmalik | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-3.7.19-104.el6 | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 760537 (view as bug list) | Environment: | ||
| Last Closed: | 2011-12-06 10:09:33 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
Robert Vogelgesang
2011-07-19 14:39:28 UTC
Sounds fine with me. Sorry, what's fine?
Do you mean that it is fine to block access to any directory in the standard web space named "logs", even if we ("we" as in "system developers") do not know what data our users put into these directories _they_ manage?
Or is my workaround fine?
Your workaround is fine, I just added it to Fedora 16. I am indicating to Miroslav, that I think he should add it to RHEL6.2 policy. Ahh, OK, thanks. But please consider not only /var/www/html/, but /var/www/ as a whole. We frequently mount additional disk space on various directories below of /var/www/, so I'd rather have the rule that causes this problem be removed from the policy. A different solution would be to add a SELinux boolean that would switch this rule on or off. Well this is actually not a boolean but of labeling. If you label the logs directory as httpd_logs_t then cgi scripts will not be allowed to read them, if they are labelled httpd_sys_content_t then they will be allowed.
sesearch -A -s httpd_t -t httpd_log_t -C
Found 5 semantic av rules:
allow httpd_t file_type : filesystem getattr ;
allow daemon logfile : file { ioctl getattr lock append } ;
allow httpd_t httpd_log_t : file { ioctl read create getattr lock append open } ;
allow httpd_t httpd_log_t : dir { ioctl write getattr setattr lock add_name search open } ;
allow httpd_t httpd_log_t : lnk_file { read getattr }
sesearch -A -s httpd_sys_script_t -t httpd_log_t -C
Found 3 semantic av rules:
allow httpd_sys_script_t logfile : file { ioctl getattr lock append } ;
allow httpd_sys_script_t httpd_log_t : file { ioctl getattr lock append open } ;
allow httpd_sys_script_t httpd_log_t : dir { getattr search open } ;
Where as if the content is httpd_sys_content_t there is a lot different access.
Fixed in selinux-policy-3.7.19-104.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1511.html |