Bug 469447 - Unable to expose ISO through httpd due to SELinux
Unable to expose ISO through httpd due to SELinux
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-31 17:49 EDT by Christopher Beland
Modified: 2008-12-21 03:34 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-15 12:17:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Contents of the SELinux alert (2.56 KB, text/plain)
2008-10-31 17:49 EDT, Christopher Beland
no flags Details

  None (edit)
Description Christopher Beland 2008-10-31 17:49:07 EDT
Created attachment 322139 [details]
Contents of the SELinux alert

I ran the following commands as root, intending to use my local web server as a source for a network install on a nearby machine:

mkdir /var/www/html/fedora/
mount -o loop -t iso9660 /backup/f10-snap3/Fedora-10-Snap3-x86_64-DVD/Fedora-10-Snap3-x86_64-DVD.iso /var/www/html/fedora/

When I tried to access the file via HTTP, I got an SELinux denial alert, which said:

"If you want to change the file context of /var/www/html/fedora so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/www/html/fedora'."

However, when I do this, I get an error:

 chcon: failed to change context of `/var/www/html/fedora' to `system_u:object_r:httpd_sys_content_t:s0': Read-only file system

I'm not sure there's a good security reason for denying Apache access to subdirectories of /var/www/html/, but in any case it would be nice if whatever solution is suggested by the system actually works.  For now, I'm disabling SELinux so I can proceed with my installation.

This is with selinux-policy-targeted-3.3.1-103.fc9.noarch and httpd-2.2.9-1.fc9.i386.
Comment 1 Daniel Walsh 2008-11-03 14:25:26 EST
Does

mount -o loop,context="system_u:object_r:httpd_sys_content_t:s0" -t iso9660
/backup/f10-snap3/Fedora-10-Snap3-x86_64-DVD/Fedora-10-Snap3-x86_64-DVD.iso
/var/www/html/fedora/

Fix the problem?
Comment 2 Daniel Walsh 2008-12-08 16:49:12 EST
This should be just allowed, added policy for RHEL5, F10 and Rawhide.


fs_read_iso9660_files(httpd_t)
fs_read_iso9660_files(httpd_suexec_t)
fs_read_iso9660_files(httpd_sys_script_t)

Should be added to F9 policy.
Comment 3 Miroslav Grepl 2008-12-09 06:28:09 EST
Fixed in selinux-policy-3.3.1-115.fc9.noarch
Comment 4 Fedora Update System 2008-12-09 06:32:56 EST
selinux-policy-3.3.1-115.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-115.fc9
Comment 5 Fedora Update System 2008-12-09 23:39:17 EST
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11122
Comment 6 Fedora Update System 2008-12-15 11:34:27 EST
selinux-policy-3.3.1-116.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-116.fc9
Comment 7 Christopher Beland 2008-12-15 11:47:23 EST
Sorry for the slow response; selinux-policy-3.3.1-115.fc9.noarch fixes the problem.  Thanks!
Comment 8 Fedora Update System 2008-12-21 03:34:42 EST
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.