Description of problem: I am getting 0x100000 permission denials for a directory. Apache is trying to read a directory that is on an eCryptfs mount. Version-Release number of selected component (if applicable): Patched and up to date. How reproducible: Always Steps to Reproduce: I want to serve web pages from the clear-text directory of an eCryptfs mount. I am running under SELinux. I am getting AVC denials. This is what I am doing: 1. Create two directories: mkdir /var/www/clear_sites /var/www/crypt_sites 2. Mount it via: mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/var/backup/.ecryptfs/.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough /var/www/crypt_sites /var/www/clear_sites 3. Transfer a working web directory to /var/www/clear_sites 4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their respective subdirectories) are set via: chown root:apache chmod 750 or 640 or what is needed context is user_u:object_r:httpd_sys_content_t 5. Verify that stuff written to clear_sites is showing up in crypt_sites 6. Configure Apache: Alias /jv "/var/www/clear_sites/jv/" <Directory "/var/www/clear_sites/jv"> Options -Indexes Order Allow,Deny Allow from 192.168.0.0/24 Allow from localhost Allow from 127.0.0.1 </Directory> 7. Restart apache: /sbin/service httpd restart 8. Point browser to http://something.somewhere.com/jv I get a Forbidden: You don't have permission to access /jv/ on this server. Actual results: audit.log says: type=AVC msg=audit(1236795231.038:49752): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.038:49752): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0630 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.038:49753): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.038:49753): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0710 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.042:49754): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.042:49754): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0638 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.042:49755): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.042:49755): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0718 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.042:49756): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.042:49756): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0658 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.042:49757): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.042:49757): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0740 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) Expected results: I expect to see web page. Additional info: 1. /var/www/clear_sites/jv is a directory 2. audit2why < /var/log/audit/audit | audit2allow is telling me to: #============= httpd_t ============== allow httpd_t httpd_sys_content_t:file 0x100000; 3. May be related to https://bugzilla.redhat.com/show_bug.cgi?id=163493#c4
I have a tested patch attached to https://bugs.launchpad.net/ecryptfs/+bug/341355 that fixes this problem. I will send the patch upstream soon.
Created attachment 335388 [details] Fix
Attached Tyler Hicks' patch to have local copy inside RedHat bugzilla
Thanks; moving this to the kernel component and myself ....
I wanted to mention that it was a little late in the cycle for me to want to push this into 2.6.29. It is in my queue for 2.6.30.
------- Comment From tyhicks.ibm.com 2009-03-18 19:00 EDT------- ---Problem Description--- I am getting 0x100000 permission denials for a directory. Apache is trying to read a directory that is on an eCryptfs mount. ---Steps to Reproduce--- I want to serve web pages from the clear-text directory of an eCryptfs mount. I am running under SELinux. I am getting AVC denials. This is what I am doing: mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/var/backup/.ecryptfs/.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough /var/www/crypt_sites /var/www/clear_sites 4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their respective subdirectories) are set via: type=AVC msg=audit(1236795231.038:49752): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.038:49752): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0630 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.038:49753): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.038:49753): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0710 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.042:49754): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.042:49754): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0638 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.042:49755): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.042:49755): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0718 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.042:49756): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.042:49756): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0658 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1236795231.042:49757): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file type=SYSCALL msg=audit(1236795231.042:49757): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0740 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
------- Comment From sharyath.com 2009-06-18 06:35 EDT------- Red Hat When can we expect the patch to be included, I don't see this patch even in RHEL 5.4 Alpha. Please let us know how best we can take this issue further Thanks Sharyathi N
------- Comment From sharyath.com 2009-07-07 05:15 EDT------- Red Hat Any update Thanks
Sincere apologies for being late on this one, it slipped through the cracks. I see that it's now upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ae6e84596e7b321d9a08e81679c6a3f799634636 I'm going to need to propose this for 5.5, I think, unless this is causing very big problems and we need to really push for it in 5.4....
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
in kernel-2.6.18-175.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 Please do NOT transition this bugzilla state to VERIFIED until our QE team has sent specific instructions indicating when to do so. However feel free to provide a comment indicating that this fix has been verified.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2010-0178.html