Bug 238277 - selinux prevents httpd to read user home directories
selinux prevents httpd to read user home directories
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-28 13:59 EDT by Stefan Becker
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-02 17:36:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stefan Becker 2007-04-28 13:59:23 EDT
Description of problem:

Just updated to F7test4 and httpd no longer can read user home directories. The
boolean for that option is on by default in system-config-selinux.

Version-Release number of selected component (if applicable):

selinux-policy-2.6.1-1.fc7
selinux-policy-targeted-2.6.1-1.fc7
httpd-2.2.4-3

How reproducible:
alwayws

Additional info:

/var/log/message when accessing /~user:

Apr 28 20:48:54 baraddur kernel: audit(1177782534.506:69): avc:  denied  {
search } for  pid=5365 comm="httpd" name="/" dev=dm-1 ino=2
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0
tclass=dir
Apr 28 20:48:54 baraddur kernel: audit(1177782534.506:70): avc:  denied  {
search } for  pid=5365 comm="httpd" name="/" dev=dm-1 ino=2
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0
tclass=dir
Apr 28 20:49:29 baraddur kernel: audit(1177782569.005:71): avc:  denied  {
search } for  pid=5560 comm="httpd" name="/" dev=dm-1 ino=2
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0
tclass=dir
Apr 28 20:49:29 baraddur kernel: audit(1177782569.005:72): avc:  denied  {
search } for  pid=5560 comm="httpd" name="/" dev=dm-1 ino=2
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0
tclass=dir


local.te generated with audit2allow:

module local 1.0;

require {
        type httpd_t;
        type default_t;
        class dir search;
}

#============= httpd_t ==============
allow httpd_t default_t:dir search;

When I load local.pp everything works fine again...
Comment 1 Stefan Becker 2007-04-29 05:54:54 EDT
getattr rights are required too:

module local 1.0;

require {
        type httpd_t;
        type default_t;
        class dir { search getattr };
}

#============= httpd_t ==============
allow httpd_t default_t:dir { search getattr };
Comment 2 Daniel Walsh 2007-04-30 08:17:25 EDT
Your home directories are mislabeled.  They should be labeled something like
user_home_dir_t and user_home_t.  Try restorecon -R -v ~user 

Are these homedirectories in a different location?
Comment 3 Stefan Becker 2007-04-30 12:12:55 EDT
Home directory:

drwx--x--x user_u:object_r:user_home_dir_t     stefanb stefanb .
drwxr-xr-x system_u:object_r:default_t         root    root    ..

/home/stefanb/public_html is a mounted LVM partition:

drwxrwxrwx user_u:object_r:httpd_sys_content_t stefanb stefanb public_html

top-level inside public_html:

drwxrwxrwx user_u:object_r:httpd_sys_content_t stefanb stefanb .
drwx--x--x user_u:object_r:user_home_dir_t     stefanb stefanb ..
-rw-rw-r-- user_u:object_r:httpd_sys_content_t stefanb stefanb index.html

I reran restorecon:

$ /sbin/restorecon -v $HOME
$ /sbin/restorecon -v $HOME/public_html
$ /sbin/restorecon -v $HOME/public_html/*
$

As you can see there were no changes. The same setup worked OK in FC6.

Maybe httpd is not allowed to access the mounted partition? How can I grant access?
Comment 4 Daniel Walsh 2007-04-30 12:18:06 EDT
restorecon -v /home
Comment 5 Stefan Becker 2007-04-30 12:58:16 EDT
Yep, that seems to have corrected it:

# restorecon -v /home
restorecon reset /home context
system_u:object_r:default_t:s0->system_u:object_r:home_root_t:s0

/home is also a mounted LVM partition which I of course did not format during
F7test4 installation. Does this mean the security context of /home changed from
FC6 to F7? Maybe the installer should always run restorecon on unchanged, but
mounted partitions?
Comment 6 Daniel Walsh 2007-04-30 13:27:53 EDT
No they are the same.  
Did you rm -rf /home after the install and then mkdir /home and mount on top of it?

That is the only way I can think of /home getting the wrong context on it,
unless there is a bug in the installer.
Comment 7 Stefan Becker 2007-04-30 17:32:05 EDT
Nope, just set the mount point for the partition in the installer to /home and
disabled formating option.

Well maybe it'll always be a mystery :-)
Comment 8 Daniel Walsh 2007-05-01 08:20:57 EDT
Ok in that case this looks like a potential Anaconda problem.
Comment 9 Jeremy Katz 2007-05-02 17:36:57 EDT
The problem is that genhomedircon grew a dep on libselinux-python and anaconda
doesn't include that in its minimal image.

Added in CVS.

Note You need to log in before you can comment on or make changes to this bug.