Bug 172087 - (selinux) Webdav problems in enforcing mode in Raw Hide
Summary: (selinux) Webdav problems in enforcing mode in Raw Hide
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
Reported: 2005-10-31 09:22 UTC by Nicolas Mailhot
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-11-05 09:25:44 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Nicolas Mailhot 2005-10-31 09:22:13 UTC
Description of problem:

I've just test tested webdav in enforcing mode on Fedora Devel and it
doesn't work :

- apache needs rw access on /srv (don't know where the default dav root
should be, I put it in srv since its seems the FHS wants this kind of
stuff there)

type=AVC msg=audit(1130749513.951:3772): avc:  denied  { read } for
pid=11759 comm="httpd" name="nim" dev=dm-0 ino=1048598
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0
type=SYSCALL msg=audit(1130749513.951:3772): arch=c000003e syscall=2
success=no exit=-13 a0=5555558ca410 a1=10800 a2=5555558c7ff8
a3=5555558c58a7 items=1 pid=11759 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"

- it also needs rw acces to its default /var/lib/dav/lockdb.dir

type=AVC msg=audit(1130749738.930:3777): avc:  denied  { write } for
pid=11766 comm="httpd" name="lockdb.dir" dev=dm-0 ino=2392524
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1130749738.930:3777): arch=c000003e syscall=2
success=no exit=-13 a0=5555558c7580 a1=42 a2=1b6 a3=3 items=1 pid=11766
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1130749738.930:3777):  cwd="/"
type=PATH msg=audit(1130749738.930:3777): item=0
name="/var/lib/dav/lockdb.dir" flags=310  inode=2392223 dev=fd:00
mode=040700 ouid=48 ogid=48 rdev=00:00

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Create a webdav root in /srv
2.Try to use it in enforcing mode server-side
Actual results:

1. Webdav clients fail when trying to manipulate the share 
2. Various errors in apache logs :

[Mon Oct 31 10:05:13 2005] [error] [client x.x.x.x] Provider encountered an
error while streaming a multistatus PROPFIND response.  [404, #0]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] File does not exist:
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] File does not exist:
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] The locks could not be
queried for verification against a possible "If:" header.  [500, #0]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] Could not open the lock
database.  [500, #400]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] (13)Permission denied: Could
not open property database.  [500, #1]

Expected results:

A working dav share
No errors in httpd logs

Additional info:

I've reported this on the selinux list, I just want to trace it there so it's
fixed before FC5

Comment 1 Nicolas Mailhot 2005-10-31 09:26:23 UTC
Dav/Apache problem -> CCing Joe Orton

Comment 2 Joe Orton 2005-10-31 10:30:25 UTC
Looks like a policy issue, httpd_t should have read/write/file-creation access to

Comment 3 Nicolas Mailhot 2005-10-31 10:37:52 UTC
Yes, that's why I opened an selinux bug, but I thought it would be nice to have
you there to confirm apache needs read/write/file-creation access to
/var/lib/dav/* AND /srv (and if srv is a no-go where people are supposed to put
their dav roots)

Comment 4 Nicolas Mailhot 2005-11-01 15:32:26 UTC
Joe, Daniel would like to know if Red Hat got a specific policy regarding DAV
files in /srv (ie should the default policy allow read/write/file-creation for
all /srv, just a subdir in /srv, or none at all).

My reading of :

is that if you use DAV as a way to share data (not a way to update web sites,
but a CIFS/FTP replacement) this data belongs in /srv.

If Red Hat does not define a specific part of /srv devoted to DAV use I'd say
make all srv accessible to apache in the default policy. OTOH it's certainly
cleaner to compartimentize /srv (on my box dav is in /srv/dav). What are your
thoughts on the question ?

Comment 5 Joe Orton 2005-11-01 15:44:53 UTC
I'd say it would be best to leave /srv labelling entirely to user policy.

Comment 6 Nicolas Mailhot 2005-11-01 16:05:35 UTC
:( This will force a lot of people to learn selinux instead of being mostly
transparent. Are you sure ?

Comment 7 Joe Orton 2005-11-01 16:14:08 UTC
To create a DAV repos you already have to create a directory and set up the
permissions correctly, it's never been an "it just works" thing.  The fact that
you have to label it too is just an extra step.

Comment 8 Nicolas Mailhot 2005-11-01 16:41:43 UTC
It just got a little less "just works" 

I'll just ask for the lock dir then

Comment 9 Daniel Walsh 2005-11-03 18:56:38 UTC
Fixed in policy version 1.27.2-12

Comment 10 Nicolas Mailhot 2005-11-05 09:25:44 UTC
I can confirm -> closing

Note You need to log in before you can comment on or make changes to this bug.