1491513 – SELinux denies Apache access to directory labelled httpd_user_content_t with httpd_read_user_content boolean set to 1

Bug 1491513 - SELinux denies Apache access to directory labelled httpd_user_content_t with httpd_read_user_content boolean set to 1

Summary: SELinux denies Apache access to directory labelled httpd_user_content_t with ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	26
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-09-14 04:08 UTC by Adam Williamson
Modified:	2017-11-15 20:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.13.1-260.14.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-15 20:12:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Adam Williamson 2017-09-14 04:08:13 UTC

My web server is configured to serve a directory out of a user's public_html directory. The directories are all correctly labelled:

[root@www adamw]# ls -dlZ public_html/
drwxr-xr-x. 15 adamw adamw unconfined_u:object_r:httpd_user_content_t:s0 4096 Apr  6 11:53 public_html/
[root@www adamw]# ls -dlZ public_html
drwxr-xr-x. 15 adamw adamw unconfined_u:object_r:httpd_user_content_t:s0 4096 Apr  6 11:53 public_html
[root@www adamw]# ls -dlZ public_html/fedfind
drwxrwxr-x. 3 adamw adamw unconfined_u:object_r:httpd_user_content_t:s0 4096 Oct 14  2016 public_html/fedfind
[root@www adamw]# ls -dlZ public_html/fedfind/releases
drwxrwxr-x. 2 adamw adamw unconfined_u:object_r:httpd_user_content_t:s0 4096 Feb 10  2017 public_html/fedfind/releases

and the httpd_read_user_content boolean is on:

[root@www adamw]# getsebool httpd_read_user_content
httpd_read_user_content --> on

but SELinux denies Apache access to the directory when I try to browse to it:

Sep 13 21:06:08 www.happyassassin.net setroubleshoot[4841]: SELinux is preventing httpd from read access on the directory releases. For complete SELinux messages run: sealert -l e1abd9de-0186-49ba-98fa-a1f36fac4af5
Sep 13 21:06:08 www.happyassassin.net python3[4841]: SELinux is preventing httpd from read access on the directory releases.
                                                     
                                                     *****  Plugin catchall_boolean (47.5 confidence) suggests   ******************
                                                     
                                                     If you want to unify HTTPD handling of all content files.
                                                     Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
                                                     
                                                     Do
                                                     setsebool -P httpd_unified 1
                                                     
                                                     *****  Plugin public_content (47.5 confidence) suggests   ********************
                                                     
                                                     If you want to treat releases as public content
                                                     Then you need to change the label on releases to public_content_t or public_content_rw_t.
                                                     Do
                                                     # semanage fcontext -a -t public_content_t 'releases'
                                                     # restorecon -v 'releases'
                                                     
                                                     *****  Plugin catchall (6.38 confidence) suggests   **************************
                                                     
                                                     If you believe that httpd should be allowed read access on the releases directory by default.
                                                     Then you should report this as a bug.
                                                     You can generate a local policy module to allow this access.
                                                     Do
                                                     allow this access for now by executing:
                                                     # ausearch -c 'httpd' --raw | audit2allow -M my-httpd
                                                     # semodule -X 300 -i my-httpd.pp

So I'm stuck with SELinux in permissive mode or else my web server won't serve these files.

Comment 1 Fedora Update System 2017-11-02 15:28:26 UTC

selinux-policy-3.13.1-260.14.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e

Comment 2 Adam Williamson 2017-11-02 15:32:22 UTC

260.14.fc26 actually fixes this - it's listed in the package changelog - but without referencing this bug. I edited the update.

Comment 3 Fedora Update System 2017-11-15 20:12:48 UTC

selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.