Bug 469447 - Unable to expose ISO through httpd due to SELinux
Summary: Unable to expose ISO through httpd due to SELinux
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-31 21:49 UTC by Christopher Beland
Modified: 2008-12-21 08:34 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-12-15 17:17:15 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Contents of the SELinux alert (2.56 KB, text/plain)
2008-10-31 21:49 UTC, Christopher Beland
no flags Details

Description Christopher Beland 2008-10-31 21:49:07 UTC
Created attachment 322139 [details]
Contents of the SELinux alert

I ran the following commands as root, intending to use my local web server as a source for a network install on a nearby machine:

mkdir /var/www/html/fedora/
mount -o loop -t iso9660 /backup/f10-snap3/Fedora-10-Snap3-x86_64-DVD/Fedora-10-Snap3-x86_64-DVD.iso /var/www/html/fedora/

When I tried to access the file via HTTP, I got an SELinux denial alert, which said:

"If you want to change the file context of /var/www/html/fedora so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/www/html/fedora'."

However, when I do this, I get an error:

 chcon: failed to change context of `/var/www/html/fedora' to `system_u:object_r:httpd_sys_content_t:s0': Read-only file system

I'm not sure there's a good security reason for denying Apache access to subdirectories of /var/www/html/, but in any case it would be nice if whatever solution is suggested by the system actually works.  For now, I'm disabling SELinux so I can proceed with my installation.

This is with selinux-policy-targeted-3.3.1-103.fc9.noarch and httpd-2.2.9-1.fc9.i386.

Comment 1 Daniel Walsh 2008-11-03 19:25:26 UTC
Does

mount -o loop,context="system_u:object_r:httpd_sys_content_t:s0" -t iso9660
/backup/f10-snap3/Fedora-10-Snap3-x86_64-DVD/Fedora-10-Snap3-x86_64-DVD.iso
/var/www/html/fedora/

Fix the problem?

Comment 2 Daniel Walsh 2008-12-08 21:49:12 UTC
This should be just allowed, added policy for RHEL5, F10 and Rawhide.


fs_read_iso9660_files(httpd_t)
fs_read_iso9660_files(httpd_suexec_t)
fs_read_iso9660_files(httpd_sys_script_t)

Should be added to F9 policy.

Comment 3 Miroslav Grepl 2008-12-09 11:28:09 UTC
Fixed in selinux-policy-3.3.1-115.fc9.noarch

Comment 4 Fedora Update System 2008-12-09 11:32:56 UTC
selinux-policy-3.3.1-115.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-115.fc9

Comment 5 Fedora Update System 2008-12-10 04:39:17 UTC
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11122

Comment 6 Fedora Update System 2008-12-15 16:34:27 UTC
selinux-policy-3.3.1-116.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-116.fc9

Comment 7 Christopher Beland 2008-12-15 16:47:23 UTC
Sorry for the slow response; selinux-policy-3.3.1-115.fc9.noarch fixes the problem.  Thanks!

Comment 8 Fedora Update System 2008-12-21 08:34:42 UTC
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.