Summary: SELinux is preventing /usr/sbin/lighttpd from using potentially mislabeled files /media/User/www/localhost/docroot/dokuwiki. Detailed Description: SELinux has denied the lighttpd access to potentially mislabeled files /media/User/www/localhost/docroot/dokuwiki. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, dbusd_etc_t, httpd_squirrelmail_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, rpm_log_t, var_log_t, samba_var_t, avahi_var_run_t, net_conf_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_rw_content_t, public_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, anon_inodefs_t, sysctl_kernel_t, home_root_t, httpd_modules_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, cert_type, mysqld_var_run_t, httpd_sys_content_t, abrt_var_run_t, httpd_var_lib_t, httpd_var_run_t, httpd_squid_rw_content_t, nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t, mysqld_db_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t, var_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, setrans_var_run_t, httpd_awstats_script_exec_t, mailman_archive_t, sysctl_crypto_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, var_lock_t, sysctl_t, sysctl_t, abrt_t, bin_t, bin_t, mailman_data_t, httpd_cobbler_content_t, httpd_t, httpd_munin_script_exec_t, logfile, lib_t, lib_t, mnt_t, mnt_t, httpd_w3c_validator_script_exec_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, httpd_prewikka_rw_content_t, root_t, httpd_user_script_exec_t, squirrelmail_spool_t, httpd_bugzilla_content_t, tmp_t, tmp_t, usr_t, usr_t, var_t, var_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t, cobbler_var_lib_t, nagios_etc_t, nagios_log_t, sssd_public_t, httpd_awstats_rw_content_t, httpd_squid_script_exec_t, httpd_w3c_validator_rw_content_t, cluster_conf_t, winbind_var_run_t, likewise_var_lib_t, httpd_bugzilla_script_exec_t, autofs_t, device_t, device_t, devpts_t, fonts_cache_t, locale_t, httpd_log_t, etc_t, etc_t, fonts_t, proc_t, proc_t, sysfs_t, tmpfs_t, httpd_awstats_content_t, krb5_conf_t, rpm_script_tmp_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, sysctl_net_t, var_lib_t, httpd_config_t, security_t, httpd_cobbler_rw_content_t, calamaris_www_t, httpd_prewikka_script_exec_t, var_spool_t, httpd_cache_t, httpd_tmpfs_t, httpd_sys_script_exec_t, iso9660_t, httpd_munin_rw_content_t, udev_tbl_t, httpd_tmp_t, rpm_tmp_t, httpd_git_script_exec_t, smokeping_var_lib_t, var_lib_t, var_run_t, var_run_t, httpd_cvs_script_exec_t, mysqld_etc_t, configfile, cvs_data_t, user_home_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, home_root_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, nscd_var_run_t, pcscd_var_run_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, root_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_cobbler_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, var_t, var_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, user_home_dir_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_sys_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t, user_home_type. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /media/User/www/localhost/docroot/dokuwiki so that the httpd daemon can access it, you need to execute it using semanage fcontext -a -t FILE_TYPE '/media/User/www/localhost/docroot/dokuwiki'. where FILE_TYPE is one of the following: dbusd_etc_t, httpd_squirrelmail_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, rpm_log_t, var_log_t, samba_var_t, avahi_var_run_t, net_conf_t, httpd_cvs_rw_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_rw_content_t, public_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, anon_inodefs_t, sysctl_kernel_t, home_root_t, httpd_modules_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, cert_type, mysqld_var_run_t, httpd_sys_content_t, abrt_var_run_t, httpd_var_lib_t, httpd_var_run_t, httpd_squid_rw_content_t, nscd_var_run_t, nslcd_var_run_t, sssd_var_lib_t, mysqld_db_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, gitosis_var_lib_t, httpd_smokeping_cgi_rw_content_t, var_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, setrans_var_run_t, httpd_awstats_script_exec_t, mailman_archive_t, sysctl_crypto_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, public_content_rw_t, var_lock_t, sysctl_t, sysctl_t, abrt_t, bin_t, bin_t, mailman_data_t, httpd_cobbler_content_t, httpd_t, httpd_munin_script_exec_t, logfile, lib_t, lib_t, mnt_t, mnt_t, httpd_w3c_validator_script_exec_t, system_dbusd_var_lib_t, system_dbusd_var_run_t, httpd_prewikka_rw_content_t, root_t, httpd_user_script_exec_t, squirrelmail_spool_t, httpd_bugzilla_content_t, tmp_t, tmp_t, usr_t, usr_t, var_t, var_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t, cobbler_var_lib_t, nagios_etc_t, nagios_log_t, sssd_public_t, httpd_awstats_rw_content_t, httpd_squid_script_exec_t, httpd_w3c_validator_rw_content_t, cluster_conf_t, winbind_var_run_t, likewise_var_lib_t, httpd_bugzilla_script_exec_t, autofs_t, device_t, device_t, devpts_t, fonts_cache_t, locale_t, httpd_log_t, etc_t, etc_t, fonts_t, proc_t, proc_t, sysfs_t, tmpfs_t, httpd_awstats_content_t, krb5_conf_t, rpm_script_tmp_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, sysctl_net_t, var_lib_t, httpd_config_t, security_t, httpd_cobbler_rw_content_t, calamaris_www_t, httpd_prewikka_script_exec_t, var_spool_t, httpd_cache_t, httpd_tmpfs_t, httpd_sys_script_exec_t, iso9660_t, httpd_munin_rw_content_t, udev_tbl_t, httpd_tmp_t, rpm_tmp_t, httpd_git_script_exec_t, smokeping_var_lib_t, var_lib_t, var_run_t, var_run_t, httpd_cvs_script_exec_t, mysqld_etc_t, configfile, cvs_data_t, user_home_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, home_root_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, nscd_var_run_t, pcscd_var_run_t, httpd_apcupsd_cgi_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, root_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_cobbler_content_t, httpd_munin_script_exec_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, var_t, var_t, httpd_nagios_script_exec_t, httpd_apcupsd_cgi_script_exec_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, user_home_dir_t, httpd_squid_script_exec_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_bugzilla_script_exec_t, httpd_awstats_content_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_nutups_cgi_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_prewikka_script_exec_t, httpd_sys_script_exec_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_git_script_exec_t, var_run_t, var_run_t, httpd_cvs_script_exec_t, user_home_type. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:fusefs_t:s0 Target Objects /media/User/www/localhost/docroot/dokuwiki [ dir ] Source lighttpd Source Path /usr/sbin/lighttpd Port <Unknown> Host (removed) Source RPM Packages lighttpd-1.4.26-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name (removed) Platform Linux (removed) 2.6.34.6-47.fc13.x86_64 #1 SMP Fri Aug 27 08:56:01 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Tue 07 Sep 2010 09:44:08 PM EDT Last Seen Tue 07 Sep 2010 09:44:08 PM EDT Local ID 258ff9a4-a382-451a-8012-3f09a12e8233 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1283910248.103:24303): avc: denied { getattr } for pid=2237 comm="lighttpd" path="/media/User/www/localhost/docroot/dokuwiki" dev=sda3 ino=39088 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir node=(removed) type=SYSCALL msg=audit(1283910248.103:24303): arch=c000003e syscall=4 success=no exit=-13 a0=277b5b0 a1=7fff253939e0 a2=7fff253939e0 a3=3d0132a020 items=0 ppid=1 pid=2237 auid=500 uid=487 gid=480 euid=487 suid=487 fsuid=487 egid=480 sgid=480 fsgid=480 tty=(none) ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) Hash String generated from httpd_bad_labels,lighttpd,httpd_t,fusefs_t,dir,getattr audit2allow suggests: #============= httpd_t ============== allow httpd_t fusefs_t:dir getattr;
More background information: I am trying to serve to myself (for development purposes) some php content that is stored on an ntfs-3g (based on FUSE) mount via lighttpd. I set up a symlink from the standard docroot to the ntfs-3g mount. Lighttpd happily follows the symlink, but selinux intervenes. First, SeLinux gives this error: ====================================== ============FIRST ERROR=============== ====================================== Summary: SELinux is preventing /usr/sbin/lighttpd "search" access to /media/User. Detailed Description: SELinux denied access requested by lighttpd. /media/User may be a mislabeled. /media/User default SELinux type is mnt_t, but its current type is fusefs_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/media/User', if this file is a directory, you can recursively restore using restorecon -R '/media/User'. Fix Command: /sbin/restorecon '/media/User' Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:fusefs_t:s0 Target Objects /media/User [ dir ] Source lighttpd Source Path /usr/sbin/lighttpd Port <Unknown> Host slackhappy Source RPM Packages lighttpd-1.4.26-2.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-51.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name restorecon Host Name slackhappy Platform Linux slackhappy 2.6.34.6-47.fc13.x86_64 #1 SMP Fri Aug 27 08:56:01 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Tue 07 Sep 2010 07:58:09 PM EDT Last Seen Tue 07 Sep 2010 09:20:30 PM EDT Local ID b17e2cca-2acb-4961-b063-985782856d91 Line Numbers Raw Audit Messages node=slackhappy type=AVC msg=audit(1283908830.534:24296): avc: denied { search } for pid=2237 comm="lighttpd" name="/" dev=sda3 ino=5 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir node=slackhappy type=SYSCALL msg=audit(1283908830.534:24296): arch=c000003e syscall=4 success=no exit=-13 a0=277b5b0 a1=7fff253939e0 a2=7fff253939e0 a3=40 items=0 ppid=1 pid=2237 auid=500 uid=487 gid=480 euid=487 suid=487 fsuid=487 egid=480 sgid=480 fsgid=480 tty=(none) ses=1 comm="lighttpd" exe="/usr/sbin/lighttpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null) ====================================== =============== END FIRST ERROR ====== ====================================== The exact audit log message is this: type=AVC msg=audit(1283903889.178:27): avc: denied { search } for pid=2635 comm="lighttpd" name="/" dev=sda3 ino=5 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir I worked around this using # grep fusefs_t /var/log/audit/audit.log | audit2allow -M allowwebfuse # semodule -i allowwebfuse.pp I believe that my scenario is actually a valid one, especially for a developer that must switch between Windows and Linux.
This works, though it is an approximation of the needed permissions ======FILE allowhttpdfuse.te =============== module allowhttpdfuse 1.0; require { type httpd_t; type fusefs_t; class dir { relabelto relabelfrom getattr open search write read remove_name add_name create setattr rmdir }; class file { relabelto relabelfrom getattr open execute execute_no_trans read write ioctl append unlink create rename lock setattr link }; } allow httpd_t fusefs_t:dir { getattr search read write add_name remove_name create setattr rmdir open }; allow httpd_t fusefs_t:file { getattr execute execute_no_trans read ioctl append write setattr rename create unlink open }; =============END FILE ======================= $ checkmodule -M -m -o allowhttpdfuse.mod allowhttpdfuse.te $ semodule_package -o allowhttpdfuse.pp -m allowhttpdfuse.mod # semodule -i allowhttpdfuse.pp
You might be able to setup this mounted file system using the context option context="system_u:object_r:httpd_sys_content_rw_t:s0" Which would allow httpd to read/write this disk. But your solution works also. I will not add this to policy.