Bug 146471 - httpd UserDir doesn't work
httpd UserDir doesn't work
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-28 12:21 EST by Chris Lee
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-31 09:21:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Chris Lee 2005-01-28 12:21:06 EST
Description of problem: I enable UserDir in my httpd.conf. I make sure the file
permissions are properly set on my ~/public_html, which is on an NFS directory
automounted via autofs. httpd cannot serve files from this folder because
SELinux prevents it from seeing them. I get 403 Forbidden errors from Apache
when trying to visit any folder in /~clee/.

Version-Release number of selected component (if applicable): 
selinux-policy-targeted-1.17.30-2.52.1-noarch

How reproducible: Always

Steps to Reproduce:
1. setenforce Enforcing
2. Mount home directory from NFS with automount
3. Enable UserDir in /etc/httpd/conf/httpd.conf
  
Actual results: httpd fails to serve my ~/public_html folder

Expected results: httpd should serve my ~/public_html folder
Comment 1 Chris Lee 2005-01-28 12:23:19 EST
Using the audit2allow tool to scan /var/log/messages (got that tip from Jeff
Needle), this line was suggested:

allow httpd_t autofs_t:dir { getattr search };

Not sure where to put that, though.
Comment 2 Daniel Walsh 2005-01-28 14:24:19 EST
Fixed in selinux-policy-targeted-1.17.30-2.75
Comment 3 Jon Orris 2005-04-22 15:53:44 EDT
I've verified this works for NFS dirs, which Chris was trying, but it still
fails for an ordinary user home directory.

Apr 22 15:58:31 localhost kernel: audit(1114199911.371:0): avc:  denied  {
getattr } for  pid=3766 exe=/usr/sbin/httpd path=/home/foo/public_html dev=dm-0
ino=1880509 scontext=root:system_r:httpd_t tcontext=user_u:object_r:user_home_t
tclass=dir

[root@localhost ~]# ls -lRZ /home/foo
/home/foo:
drwxr-xr-x  foo      foo      user_u:object_r:user_home_t      public_html
/home/foo/public_html:
-rw-rw-r--  foo      foo      user_u:object_r:user_home_t      index.html
Comment 4 Daniel Walsh 2005-04-22 15:59:21 EDT
try a restorecon on it
restorecon -R /home/foo/public_html

Or if that does not work.

chcon -R user_u:object_r:httpd_user_content_t /home/foo/public_html
Comment 5 Jon Orris 2005-04-22 16:02:18 EDT
Ok, restorecon did the trick.
Comment 6 Tim Powers 2005-06-09 09:06:16 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html

Note You need to log in before you can comment on or make changes to this bug.