2179628 – httpd's mod_dav has no standard directory for storing files marked httpd_sys_rw_content_t

Bug 2179628 - httpd's mod_dav has no standard directory for storing files marked httpd_sys_rw_content_t

Summary: httpd's mod_dav has no standard directory for storing files marked httpd_sys_...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.2
Hardware:	Unspecified
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-03-19 10:04 UTC by Graham Leggett
Modified:	2023-08-04 14:35 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-04 14:35:00 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-152261	0	None	None	None	2023-03-19 10:05:54 UTC

Description Graham Leggett 2023-03-19 10:04:19 UTC

Description of problem:

When attempting to configure mod_dav under httpd, there is no default directory configured that allows write access (selinux httpd_sys_rw_content_t context).

Version-Release number of selected component (if applicable):

selinux-policy-34.1.43-1.el9_1.2.noarch

How reproducible:

Always.

Steps to Reproduce:
1. semanage fcontext -l | grep httpd_sys_rw_content_t
2.
3.

Actual results:

Sensible default locations for svn:

/var/www/svn(/.*)?                                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 

Nothing for dav.

Expected results:

Sensible default location for dav, for example:

/var/www/dav(/.*)?                                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 

Additional info:

Comment 1 Milos Malik 2023-03-24 09:47:31 UTC

# rpm -qa mod\*
mod_dav_svn-1.14.1-5.el9_0.x86_64
# rpm -ql mod_dav_svn | grep example
/usr/share/doc/mod_dav_svn/example.conf
# grep /var/www /usr/share/doc/mod_dav_svn/example.conf
# containing Subversion repositories, "/var/www/svn".  Each repository
#   # cd /var/www/svn
#   SVNParentPath /var/www/svn

Here is a way how to set up a SELinux equivalency between /var/www/svn and /var/www/dav locations:

# matchpathcon /var/www/svn
/var/www/svn	system_u:object_r:httpd_sys_rw_content_t:s0
# matchpathcon /var/www/dav
/var/www/dav	system_u:object_r:httpd_sys_content_t:s0
# semanage fcontext -l | grep /var/www/dav
# semanage fcontext -l | grep /var/www/svn
/var/www/svn(/.*)?                                 all files          system_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/svn/conf(/.*)?                            all files          system_u:object_r:httpd_sys_content_t:s0 
/var/www/svn/hooks(/.*)?                           all files          system_u:object_r:httpd_sys_script_exec_t:s0 
# semanage fcontext -a -e /var/www/svn /var/www/dav
# semanage fcontext -l | grep /var/www/dav
/var/www/dav = /var/www/svn
# matchpathcon /var/www/svn
/var/www/svn	system_u:object_r:httpd_sys_rw_content_t:s0
# matchpathcon /var/www/dav
/var/www/dav	system_u:object_r:httpd_sys_rw_content_t:s0
#

Let us know if this approach helped to solve your issue.

Thank you.

Comment 2 Graham Leggett 2023-04-03 09:43:14 UTC

(In reply to Milos Malik from comment #1)
> Let us know if this approach helped to solve your issue.

The issue is that this should work out the box, without me doing anything weird or non-standard.

Comment 4 Nikola Knazekova 2023-08-04 14:35:00 UTC

Hi, 
this bug will be closed as wontfix, because the path /var/www/dav is not defined in the official apache documentation.

Note You need to log in before you can comment on or make changes to this bug.