172087 – (selinux) Webdav problems in enforcing mode in Raw Hide

Bug 172087 - (selinux) Webdav problems in enforcing mode in Raw Hide

Summary: (selinux) Webdav problems in enforcing mode in Raw Hide

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC5Target
TreeView+	depends on / blocked

Reported:	2005-10-31 09:22 UTC by Nicolas Mailhot
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-11-05 09:25:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nicolas Mailhot 2005-10-31 09:22:13 UTC

Description of problem:

I've just test tested webdav in enforcing mode on Fedora Devel and it
doesn't work :


- apache needs rw access on /srv (don't know where the default dav root
should be, I put it in srv since its seems the FHS wants this kind of
stuff there)

type=AVC msg=audit(1130749513.951:3772): avc:  denied  { read } for
pid=11759 comm="httpd" name="nim" dev=dm-0 ino=1048598
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0
tclass=dir
type=SYSCALL msg=audit(1130749513.951:3772): arch=c000003e syscall=2
success=no exit=-13 a0=5555558ca410 a1=10800 a2=5555558c7ff8
a3=5555558c58a7 items=1 pid=11759 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"
exe="/usr/sbin/httpd"


- it also needs rw acces to its default /var/lib/dav/lockdb.dir

type=AVC msg=audit(1130749738.930:3777): avc:  denied  { write } for
pid=11766 comm="httpd" name="lockdb.dir" dev=dm-0 ino=2392524
scontext=root:system_r:httpd_t:s0
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1130749738.930:3777): arch=c000003e syscall=2
success=no exit=-13 a0=5555558c7580 a1=42 a2=1b6 a3=3 items=1 pid=11766
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1130749738.930:3777):  cwd="/"
type=PATH msg=audit(1130749738.930:3777): item=0
name="/var/lib/dav/lockdb.dir" flags=310  inode=2392223 dev=fd:00
mode=040700 ouid=48 ogid=48 rdev=00:00


Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.27.2-10
libselinux-1.27.17-1
httpd-2.0.54-14

How reproducible:

Always

Steps to Reproduce:
1.Create a webdav root in /srv
2.Try to use it in enforcing mode server-side
  
Actual results:

1. Webdav clients fail when trying to manipulate the share 
2. Various errors in apache logs :

[Mon Oct 31 10:05:13 2005] [error] [client x.x.x.x] Provider encountered an
error while streaming a multistatus PROPFIND response.  [404, #0]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] File does not exist:
/srv/dav/nim/t752.sxw
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] File does not exist:
/srv/dav/nim/t752.sxw
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] The locks could not be
queried for verification against a possible "If:" header.  [500, #0]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] Could not open the lock
database.  [500, #400]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] (13)Permission denied: Could
not open property database.  [500, #1]


Expected results:

A working dav share
No errors in httpd logs


Additional info:

I've reported this on the selinux list, I just want to trace it there so it's
fixed before FC5

Comment 1 Nicolas Mailhot 2005-10-31 09:26:23 UTC

Dav/Apache problem -> CCing Joe Orton

Comment 2 Joe Orton 2005-10-31 10:30:25 UTC

Looks like a policy issue, httpd_t should have read/write/file-creation access to
/var/lib/dav/*

Comment 3 Nicolas Mailhot 2005-10-31 10:37:52 UTC

Yes, that's why I opened an selinux bug, but I thought it would be nice to have
you there to confirm apache needs read/write/file-creation access to
/var/lib/dav/* AND /srv (and if srv is a no-go where people are supposed to put
their dav roots)

Comment 4 Nicolas Mailhot 2005-11-01 15:32:26 UTC

Joe, Daniel would like to know if Red Hat got a specific policy regarding DAV
files in /srv (ie should the default policy allow read/write/file-creation for
all /srv, just a subdir in /srv, or none at all).

My reading of :
http://www.pathname.com/fhs/pub/fhs-2.3.html#SRVDATAFORSERVICESPROVIDEDBYSYSTEM

is that if you use DAV as a way to share data (not a way to update web sites,
but a CIFS/FTP replacement) this data belongs in /srv.

If Red Hat does not define a specific part of /srv devoted to DAV use I'd say
make all srv accessible to apache in the default policy. OTOH it's certainly
cleaner to compartimentize /srv (on my box dav is in /srv/dav). What are your
thoughts on the question ?

Comment 5 Joe Orton 2005-11-01 15:44:53 UTC

I'd say it would be best to leave /srv labelling entirely to user policy.

Comment 6 Nicolas Mailhot 2005-11-01 16:05:35 UTC

:( This will force a lot of people to learn selinux instead of being mostly
transparent. Are you sure ?

Comment 7 Joe Orton 2005-11-01 16:14:08 UTC

To create a DAV repos you already have to create a directory and set up the
permissions correctly, it's never been an "it just works" thing.  The fact that
you have to label it too is just an extra step.

Comment 8 Nicolas Mailhot 2005-11-01 16:41:43 UTC

It just got a little less "just works" 

I'll just ask for the lock dir then

Comment 9 Daniel Walsh 2005-11-03 18:56:38 UTC

Fixed in policy version 1.27.2-12

Comment 10 Nicolas Mailhot 2005-11-05 09:25:44 UTC

I can confirm -> closing

Note You need to log in before you can comment on or make changes to this bug.