Bug 353781 - SELinux prevented httpd reading and writing access to http files when twiki pages are browsed.
SELinux prevented httpd reading and writing access to http files when twiki p...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
: OtherQA, Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-26 05:10 EDT by manoj
Modified: 2009-07-20 05:59 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:05:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
attaching screenshot of twiki page. (135.64 KB, image/jpeg)
2007-10-26 05:16 EDT, manoj
no flags Details

  None (edit)
Description manoj 2007-10-26 05:10:21 EDT
Description of problem:

I have configured twiki application(used on apache) on my RHEL5 box. I have
selinux policy enabled in enforcing mode(selinux-policy-2.4.6-30.el5).

when I click on Registration link of the twiki page I get below setroubleshoot
alert. I tried  "setsebool -P httpd_unified=1" as indicated in the alert to stop
this alert but I couldn't prevent this.However please note that I'm able to
browse the twiki pages though(there is no issue in the functionality).

Summary
    SELinux prevented httpd reading and writing access to http files.

Detailed Description
    SELinux prevented httpd reading and writing access to http files. Ordinarily
    httpd is allowed full access to all files labeled with http file context.
    This machine has a tightened security policy with the httpd_unified turned
    off,  This requires explicit labeling of all files.  If a file is a cgi
    script it needs to be labeled with httpd_TYPE_script_exec_t in order to be
    executed.  If it is read only content, it needs to be labeled
    httpd_TYPE_content_t, it is writable content. it needs to be labeled
    httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon
    command to change these context.  Please refer to the man page "man
    httpd_selinux" or http://fedora.redhat.com/docs/selinux-apache-fc3 "TYPE"
    refers toi one of "sys", "user" or "staff" or potentially other script
    types.

Allowing Access
    Changing the "httpd_unified" boolean to true will allow this access:
    "setsebool -P httpd_unified=1"

    The following command will allow this access:
    setsebool -P httpd_unified=1

Additional Information        

Source Context                root:system_r:httpd_sys_script_t
Target Context                root:object_r:httpd_tmp_t
Target Objects                /dev/null [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.httpd_unified
Host Name                     rhel5.shankar.com
Platform                      Linux rhel5.shankar.com 2.6.18-8.el5 #1 SMP Fri
                              Jan 26 14:15:21 EST 2007 i686 i686
Alert Count                   1
Line Numbers                  

Raw Audit Messages            

avc: denied { read, write } for comm="view" dev=hda1 egid=48 euid=48
exe="/usr/bin/perl" exit=0 fsgid=48 fsuid=48 gid=48 items=0 name=".NSPR-
AFM-8391-8a9a9b8.0" path="/dev/null" pid=8503
scontext=root:system_r:httpd_sys_script_t:s0 sgid=48
subj=root:system_r:httpd_sys_script_t:s0 suid=48 tclass=file
tcontext=root:object_r:httpd_tmp_t:s0 tty=(none) uid=48
Comment 1 manoj 2007-10-26 05:16:04 EDT
Created attachment 238681 [details]
attaching screenshot of twiki page.

Note the Registration word on this screenshot. Once I Click on that I get the
alerts.
Comment 2 manoj 2007-10-30 23:13:32 EDT
Any updates??
Comment 3 Daniel Walsh 2007-10-31 07:53:20 EDT
You can add this rule for now executing

grep httpd_sys /var/log/audit/audit.log | audit2allow -M myapache
semodule -i myapache.pp

I will allow this priv in Update2.

selinux-policy-2.4.6-107.el5.src.rpm
Comment 4 manoj 2007-11-29 22:45:54 EST
I don't see this alert when I test it on RHEL5.1(selinux-policy-2.4.6-104)
Comment 5 Jay Turner 2007-11-30 02:34:56 EST
QE ack for RHEL5.2.  Reproducer in comment 0.
Comment 8 Eduard Benes 2008-04-02 04:19:53 EDT
Manoj, could you please try the latest policy and reply whether it solves your 
problem? 
Thank you.

Latest packages are available here:
  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 9 manoj 2008-04-02 04:51:02 EDT
AS I stated in comment5 earlier i couldn't reproduce this bug on RHEL5.1 with
default SELinux policy-2.4.6-104.This can be closed :)
Comment 12 errata-xmlrpc 2008-05-21 12:05:57 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html

Note You need to log in before you can comment on or make changes to this bug.