Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 489774

Summary: AVC denied 0x100000 for a directory with eCryptFS and Apache
Product: Red Hat Enterprise Linux 5 Reporter: Bob Chojnacki <bob>
Component: kernelAssignee: Eric Sandeen <esandeen>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: medium Docs Contact:
Priority: low    
Version: 5.2CC: bob, emcnabb, esandeen, tyhicks
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-30 07:41:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 533192    
Attachments:
Description Flags
Fix none

Description Bob Chojnacki 2009-03-11 19:21:28 UTC 
Description of problem:

I am getting 0x100000 permission denials for a directory.  Apache is trying to read a directory that is on an eCryptfs mount.


Version-Release number of selected component (if applicable):

Patched and up to date.


How reproducible:

Always


Steps to Reproduce:

I want to serve web pages from the clear-text directory of an eCryptfs mount. I am running under SELinux. I am getting AVC denials. This is what I am doing:

1. Create two directories:

   mkdir /var/www/clear_sites /var/www/crypt_sites


2. Mount it via:

  mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/var/backup/.ecryptfs/.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough /var/www/crypt_sites /var/www/clear_sites


3. Transfer a working web directory to /var/www/clear_sites


4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their respective subdirectories) are set via:

     chown root:apache
     chmod 750 or 640 or what is needed
     context is user_u:object_r:httpd_sys_content_t


5. Verify that stuff written to clear_sites is showing up in crypt_sites


6. Configure Apache:

     Alias /jv "/var/www/clear_sites/jv/"
     <Directory "/var/www/clear_sites/jv">
        Options -Indexes
        Order Allow,Deny
        Allow from 192.168.0.0/24
        Allow from localhost
        Allow from 127.0.0.1
     </Directory>


7. Restart apache:

    /sbin/service httpd restart


8. Point browser to http://something.somewhere.com/jv

    I get a Forbidden: You don't have permission to access /jv/ on this server.

  
Actual results:

audit.log says:

type=AVC msg=audit(1236795231.038:49752): avc:  denied  { 0x100000 } for  pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.038:49752): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0630 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.038:49753): avc:  denied  { 0x100000 } for  pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.038:49753): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0710 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49754): avc:  denied  { 0x100000 } for  pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49754): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0638 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49755): avc:  denied  { 0x100000 } for  pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49755): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0718 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49756): avc:  denied  { 0x100000 } for  pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49756): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0658 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49757): avc:  denied  { 0x100000 } for  pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49757): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0740 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)


Expected results:

I expect to see web page.


Additional info:

1. /var/www/clear_sites/jv is a directory

2. audit2why < /var/log/audit/audit | audit2allow is telling me to:


     #============= httpd_t ==============
     allow httpd_t httpd_sys_content_t:file 0x100000;

3. May be related to https://bugzilla.redhat.com/show_bug.cgi?id=163493#c4
Comment 1 Tyler Hicks 2009-03-12 06:43:52 UTC 
I have a tested patch attached to https://bugs.launchpad.net/ecryptfs/+bug/341355 that fixes this problem.

I will send the patch upstream soon.
Comment 2 Bob Chojnacki 2009-03-16 18:45:02 UTC 
Created attachment 335388 [details]
Fix
Comment 3 Bob Chojnacki 2009-03-16 18:49:56 UTC 
Attached Tyler Hicks' patch to have local copy inside RedHat bugzilla
Comment 4 Eric Sandeen 2009-03-16 19:09:52 UTC 
Thanks; moving this to the kernel component and myself ....
Comment 5 Tyler Hicks 2009-03-16 19:16:38 UTC 
I wanted to mention that it was a little late in the cycle for me to want to push this into 2.6.29.  It is in my queue for 2.6.30.
Comment 6 IBM Bug Proxy 2009-03-20 13:17:59 UTC 
------- Comment From tyhicks.ibm.com 2009-03-18 19:00 EDT-------
---Problem Description---

I am getting 0x100000 permission denials for a directory.  Apache is trying to
read a directory that is on an eCryptfs mount.




---Steps to Reproduce---

I want to serve web pages from the clear-text directory of an eCryptfs mount. I
am running under SELinux. I am getting AVC denials. This is what I am doing:




mount -t ecryptfs -o
key=passphrase:passphrase_passwd_file=/var/backup/.ecryptfs/.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough
/var/www/crypt_sites /var/www/clear_sites


4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their
respective subdirectories) are set via:











type=AVC msg=audit(1236795231.038:49752): avc:  denied  { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.038:49752): arch=c000003e syscall=4
success=no exit=-13 a0=2ac5b2ab0630 a1=7fff0a015600 a2=7fff0a015600
a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd"
exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.038:49753): avc:  denied  { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.038:49753): arch=c000003e syscall=6
success=no exit=-13 a0=2ac5b2ab0710 a1=7fff0a015600 a2=7fff0a015600 a3=0
items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49754): avc:  denied  { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49754): arch=c000003e syscall=4
success=no exit=-13 a0=2ac5b2ab0638 a1=7fff0a015600 a2=7fff0a015600
a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd"
exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49755): avc:  denied  { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49755): arch=c000003e syscall=6
success=no exit=-13 a0=2ac5b2ab0718 a1=7fff0a015600 a2=7fff0a015600 a3=0
items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49756): avc:  denied  { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49756): arch=c000003e syscall=4
success=no exit=-13 a0=2ac5b2ab0658 a1=7fff0a015600 a2=7fff0a015600
a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd"
exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49757): avc:  denied  { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49757): arch=c000003e syscall=6
success=no exit=-13 a0=2ac5b2ab0740 a1=7fff0a015600 a2=7fff0a015600 a3=0
items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
Comment 7 IBM Bug Proxy 2009-06-18 10:40:43 UTC 
------- Comment From sharyath.com 2009-06-18 06:35 EDT-------
Red Hat
When can we expect the patch to be included, I don't see this patch even in RHEL 5.4 Alpha.
Please let us know how best we can take this issue further
Thanks
Sharyathi N
Comment 8 IBM Bug Proxy 2009-07-07 09:21:03 UTC 
------- Comment From sharyath.com 2009-07-07 05:15 EDT-------
Red Hat
Any update
Thanks
Comment 9 Eric Sandeen 2009-07-08 15:51:56 UTC 
Sincere apologies for being late on this one, it slipped through the cracks.

I see that it's now upstream:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ae6e84596e7b321d9a08e81679c6a3f799634636

I'm going to need to propose this for 5.5, I think, unless this is causing very big problems and we need to really push for it in 5.4....
Comment 10 RHEL Program Management 2009-09-25 17:43:31 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 12 Don Zickus 2009-11-23 15:31:51 UTC 
in kernel-2.6.18-175.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.
Comment 15 errata-xmlrpc 2010-03-30 07:41:52 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0178.html