Bug 141963 - SSI includes not working with targeted policy enabled
SSI includes not working with targeted policy enabled
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-06 09:32 EST by Mace Moneta
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-06 13:46:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mace Moneta 2004-12-06 09:32:57 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
With the selinux targeted policy enabled, SSI includes on the web
server of the following form are not working:

<!--#include virtual="/weblog/Header1.html" -->

(where weblog is a symlink to a directory in /home).

The error received by /var/log/httpd/error_log is:

[Mon Dec 06 09:20:53 2004] [error] [client 135.82.8.134]
(13)Permission denied: access to /weblog/Header1.html denied

[Mon Dec 06 09:20:53 2004] [error] [client 135.82.8.134] unable to
include "/weblog/Header1.html" in parsed file /var/www/html/index.html

Disabling the targeted policy permits the web server to operate normally.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.39

How reproducible:
Always

Steps to Reproduce:
1.Use SSI include as documented above
2.Enable targeted policy
3.Observe failure
    

Actual Results:  [Mon Dec 06 09:20:53 2004] [error] [client
135.82.8.134] (13)Permission denied: access to /weblog/Header1.html denied

[Mon Dec 06 09:20:53 2004] [error] [client 135.82.8.134] unable to
include "/weblog/Header1.html" in parsed file /var/www/html/index.html


Expected Results:  SSI included files served.

Additional info: Policy enabled/disabled using system-config-securitylevel
Comment 1 Mace Moneta 2004-12-06 09:55:13 EST
Clarification: While the system-config-securitylevel application
identifies the change as "Enable" for the policy, it is switching
between enforcing and permissive.  

Also, in permissive mode, the following messages are shown in
/var/log/messages:

Dec  6 09:48:18 buggsb kernel: audit(1102344498.928:0): avc:  denied 
{ getattr } for  pid=14298 exe=/usr/sbin/httpd
path=/home/weblog/Header1.html dev=dm-0 ino=6225995
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file

Dec  6 09:48:18 buggsb kernel: audit(1102344498.928:0): avc:  denied 
{ getattr } for  pid=14298 exe=/usr/sbin/httpd
path=/home/weblog/Header1.html dev=dm-0 ino=6225995
scontext=root:system_r:httpd_t tcontext=root:object_r:user_home_t
tclass=file
Comment 2 Colin Walters 2004-12-06 12:49:13 EST
The problem you're running into is that you're trying to store web
content in a home directory.  Notice the type of the file is
user_home_t, which httpd_t is not allowed to read.  For more
information, see:

http://fedora.redhat.com/docs/selinux-apache-fc3/

Your options are:
1) Label the files as httpd_sys_content_t, which should work
2) Disable SELinux enforcement for Apache if you can't get it to work
(see the guide for how to do that)
Comment 3 Mace Moneta 2004-12-06 13:46:08 EST
Ah, that's what I was missing.  Setting "Allow HTTPD to read home
directories" in system-config-securitylevel didn't change the
file/directory contexts.  I had assumed it would.  Closing.

Note You need to log in before you can comment on or make changes to this bug.