Bug 127900 - selinux-policy-targeted breaks file access for httpd
selinux-policy-targeted breaks file access for httpd
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
Ben Levenson
:
Depends On:
Blocks: FC3Target FC3BugWeekQA
  Show dependency treegraph
 
Reported: 2004-07-14 23:31 EDT by Nathan G. Grennan
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-05 19:22:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nathan G. Grennan 2004-07-14 23:31:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040617 Galeon/1.3.16

Description of problem:
SELinux policy breaks file access for httpd. I can't retrieve
/var/www/html/vm/vm.exe aka http://hostname/vm/vm.exe. I also can't
see the file in the index listing for http://hostname/vm/

/etc/sysconfig/selinux:
SELINUX=enforcing
SELINUXTYPE=targeted

dmesg output:
audit(1089861367.288:0): avc:  denied  { getattr } for  pid=1847
exe=/usr/sbin/httpd path=/var/www/html/vm/vm.exe dev=md1 ino=611056
scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:user_home_t
tclass=file

Version-Release number of selected component (if applicable):
policy-1.11.3-3.1

How reproducible:
Always

Steps to Reproduce:
1. mv file /var/www/html
2. Start httpd
3. Open a browser on another computer and try to retrieve the file

    

Actual Results:  Forbidden

Expected Results:  Download dialog

Additional info:
Comment 1 Nathan G. Grennan 2004-07-14 23:37:59 EDT
selinux-policy-targeted-1.15.3-1

The previous version had the same problem, and a tested workaround was
to disable selinux.
Comment 2 Daniel Walsh 2004-08-11 16:46:09 EDT
In order to get homedirectory access working with Targeted policy you
need to mark the files with httpd_user_content_t

chcon -t httpd_user_content_t /home/user/XYZ
Comment 3 Ben Levenson 2004-10-05 19:22:44 EDT
You need to change the context of the file after you relocate it
from your home directory to /var/www/html.
"restorecon /var/www/html/vm/vm.exe" should do the trick.

Closing as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.