Bug 858946
| Summary: | selinux blocks write access on /etc/owncloud | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gregor Tätzner <gregor> | ||||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | unspecified | ||||||||||
| Version: | 17 | CC: | dominick.grift, dwalsh, kevin, mgrepl, redhat-bugzilla | ||||||||
| Target Milestone: | --- | Keywords: | Reopened | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2013-08-01 20:07:50 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 858841 | ||||||||||
| Attachments: |
|
||||||||||
What does # rpm -qf /etc/owncloud for you? that would be: owncloud-4.0.7-1.fc17.noarch actually /etc/owncloud is target of a symlink in datadir: /usr/share/owncloud/config -> /etc/owncloud Or do you prefer if I handle the file relabelling in the owncloud package myself? I want to ship also for epel6 and unless you can update the policy there too, I will need to do this anyway. If you execute # chcon -Rt httpd_sys_rw_content_t /etc/owncloud does it work then? Also what does owncloud write to this directory? yep, httpd_sys_rw_content_t on that dir does the trick. For the moment that directory just contains config.php. This is the main configuration file of owncloud and of course it needs write access to set the password salt, config values, etc.... Can you move this directory to a more appropriate place like /var/lib/owncloud? no, that doesn't help at all. httpd can't write on /var/lib/owncloud/config/config.php until I relabel it from var_lib_t to httpd_sys_rw_content_t Created attachment 617754 [details]
conf in /var/lib
Yes I understand that you will have to label it differently. I just want variable data in /var/lib not in /etc. You could label it httpd_var_lib_t, also. Is this something that is being packaged in Fedora? sure, see https://bugzilla.redhat.com/show_bug.cgi?id=858841 So I'm supposed to put the conf into /var/lib and symlink it back to /etc/ and /usr/share? If you want the conf file updated by apache. I guess we should step back and ask what "owncloud" is? Why does apache need to write the config? (In reply to comment #11) > I guess we should step back > and ask what "owncloud" is? Why does apache need to write the config? I don't want to repeat myself, for a hint see comment 5. You can change those settings also from the web configuration interface. And since owncloud is a php webapp it needs a webserver for that, in this case httpd but could be also nginx. Either we will label /etc/owncloud/config/config.php as httpd_sys_rw_content_t or we will have /var/lib/owncloud/config/config.php as httpd_var_lib_t But I guess the httpd needs to write only config.php in the owncloud/config directory. (In reply to comment #13) > Either we will label > > /etc/owncloud/config/config.php as httpd_sys_rw_content_t I prefer this way. And actually the correct path is just /etc/owncloud :) > But I guess the httpd needs to write only config.php in the owncloud/config > directory. I think it does, though owncloud requires write access on the entire config dir. Probably I could disable that check with a patch but I'm sure this would cause troubles sooner or later. Ok, that is fine with me. It would have been better to have this run with a different CGI, but it is probably php. selinux-policy-3.10.0-153.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-153.fc17 Package selinux-policy-3.10.0-153.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-153.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15652/selinux-policy-3.10.0-153.fc17 then log in and leave karma (feedback). fixed by selinux-policy-3.10.0-153.fc17 I'm reopening this bug due to another selinux avc on /etc/owncloud. This time the service tries to write/create the file '/etc/owncloud/mount.php'. It's an dynamic config file and created on demand, when the user/admin sets an external storage mountpoint in the web ui. Imho write access on the entire config directory '/etc/owncloud' should just be allowed. Created attachment 706420 [details]
2. avc /etc/owncloud/mount.php
commit 90ea03d44ec78f64e3cb2b33ed9f4f4d1fbb7aaf fixes this in Rawhide. Whole directory is writable by apache. This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. selinux-policy-3.10.0-171.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-171.fc17 Package selinux-policy-3.10.0-171.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-171.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-13082/selinux-policy-3.10.0-171.fc17 then log in and leave karma (feedback). Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |
Created attachment 614745 [details] selinux log Description of problem: httpd needs write access on /etc/owncloud when running owncloud server. This issue blocks the F18 owncloud feature How reproducible: install and run owncloud package Actual results: see log Expected results: no selinux avc