Bug 163493 - SELinux prohibit HTTPD to list cifs mounts
SELinux prohibit HTTPD to list cifs mounts
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: kernel (Show other bugs)
4
i386 Linux
medium Severity low
: ---
: ---
Assigned To: James Morris
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-18 07:57 EDT by Dimitar Pashev
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 10:56:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dimitar Pashev 2005-07-18 07:57:41 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511

Description of problem:
HTTPD daemon unable to list cifs mounted directories.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. mkdir -p /var/www/html/remote
2. mount /windows-server/share /var/www/html/remote -t cifs -o fscontext=system_u:object_r:httpd_sys_content_t
3. httpd.conf
 <Directory /var/www/html/remote>
   Options +Indexes
   Allow from all
 </Directory>


Actual Results:  audit(1121686107.475:0): avc:  denied  { 0x100000 } for  name=docs dev=cifs ino=236013 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file


Additional info:
Comment 1 Daniel Walsh 2005-07-20 10:14:35 EDT
This looks like it might be a kernel/policy mismatch problem?
Comment 2 Daniel Walsh 2005-08-25 12:37:46 EDT
Any update on this?  Are you still seeing this problem?
Comment 3 Dimitar Pashev 2005-09-10 05:05:01 EDT
audit(1126342432.212:4533451): avc:  denied  { 0x100000 } for  name=writer
dev=cifs ino=3714545 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
audit(1126342432.212:4533451): syscall=195 arch=40000003 success=no exit=-13
a0=8853130 a1=ae954e8c a2=4bbe6ff4 a3=ae954e8c items=1 pid=6892 loginuid=-1
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm=httpd
exe=/usr/sbin/httpd
audit(1126342432.212:4533451): item=0
name="/var/www/html/remote/docs/writer/index.htm" inode=3714545 dev=00:11
mode=040777 uid=0 gid=0 rdev=00:00
Comment 4 Stephen Smalley 2005-09-12 08:16:50 EDT
tclass=file is wrong here, as the object is a directory.  That is why the
permission value (0x100000 == DIR__SEARCH) is not being interpreted correctly.

Since the tcontext is correct, selinux_d_instantiate->inode_doinit must have
completed.   It would have set the class from the inode mode information at the
time of the d_instantiate/d_splice_alias (i.e. when it was first looked up or
created).  This suggests that cifs is calling d_instantiate without first
setting the inode mode.

Looking at the cifs code, it appears that cifs_filldir (called upon a readdir on
a cifs directory) constructs a dentry for each entry in the directory (thereby
calling d_instantiate) without first setting up the inode state.  It then fills
in the inode state prior to calling filldir.

I'd classify this as a bug in cifs, not SELinux.  It should set the inode mode
prior to calling d_instantiate so that the inode is not accessible with
uninitialized state.
Comment 5 Dave Jones 2006-01-16 17:05:53 EST
This is a mass-update to all currently open Fedora Core 3 kernel bugs.

Fedora Core 3 support has transitioned to the Fedora Legacy project.
Due to the limited resources of this project, typically only
updates for new security issues are released.

As this bug isn't security related, it has been migrated to a
Fedora Core 4 bug.  Please upgrade to this newer release, and
test if this bug is still present there.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

Thank you.
Comment 6 Dave Jones 2006-02-03 02:00:44 EST
This is a mass-update to all currently open kernel bugs.

A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

Thank you.
Comment 7 John Thacker 2006-05-05 10:56:50 EDT
Closing per previous comment.
Comment 8 Steve French 2006-09-06 17:59:57 EDT
Patch available for mainline and tests out ok - sending off to Linus for 2.6.18
(in case it is not too late)

Note You need to log in before you can comment on or make changes to this bug.