Description of problem: When installing publican generated web packages found that resultant /var/www/html/docs/index.html file does not have a security context that allows it to be served by a default httpd install. When providig a deeper path (say to hostname/docs/en-US/index.html) no security context violation is detected. Version-Release number of selected component (if applicable): Publican 2.5.0 to generate package. Installing Red_Hat_Enterprise_Virtualization_for_Servers-Administration_Guide-2.2-web-en-US-2-2.el5 pacakge on RHEL 5 host. How reproducible: Steps to Reproduce: 1. Install Red_Hat_Enterprise_Virtualization_for_Servers-Administration_Guide-2.2-web-en-US-2-2.el5 on clean RHEL5 host. 2. Install httpd 3. Allow port 80 past firewall. 4. service httpd start 5. Browse to http://hostname/docs/index.html from remote client. Actual results: Access denied. Apache error log contains: [Mon Mar 28 15:54:10 2011] [error] [client 192.168.122.1] (13)Permission denied: access to /docs/index.html denied selinux violation detected (see additional info). Expected results: Access to index.html. Additional info: Summary: SELinux is preventing the httpd from using potentially mislabeled files /var/www/html/docs/index.html (var_t). Detailed Description: SELinux has denied the httpd access to potentially mislabeled files /var/www/html/docs/index.html. This means that SELinux will not allow httpd to use these files. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. Allowing Access: If you want to change the file context of /var/www/html/docs/index.html so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t '/var/www/html/docs/index.html'. You can look at the httpd_selinux man page for additional information. Additional Information: Source Context root:system_r:httpd_t Target Context root:object_r:var_t Target Objects /var/www/html/docs/index.html [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.2.3-45.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-300.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name httpd_bad_labels Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-238.5.1.el5 #1 SMP Mon Feb 21 05:52:39 EST 2011 x86_64 x86_64 Alert Count 10 First Seen Mon 28 Mar 2011 03:54:10 PM EST Last Seen Mon 28 Mar 2011 04:18:29 PM EST Local ID 6ee29ef5-2ed3-47d3-915b-34e5fff91b7f Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1301293109.781:50): avc: denied { getattr } for pid=15160 comm="httpd" path="/var/www/html/docs/index.html" dev=dm-0 ino=590744 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1301293109.781:50): arch=c000003e syscall=6 success=no exit=-13 a0=2ac1cab678c0 a1=7fff042deb70 a2=7fff042deb70 a3=0 items=0 ppid=15144 pid=15160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
This may have been fixed by the change in the way the sites are created. I don't get an unlabelled file when I install a site. $ ls -Z /var/www/html/docs/index.html ls: cannot access /var/www/html/docs/index.html: No such file or directory $ sudo publican update_site $ ls -Z /var/www/html/docs/index.html -rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/html/docs/index.html Rudi, can you confirm this?
Potentially, I haven't looked at it in a while as we did not end up deploying a 'full' publican site for our context sensitive help effort. I will have a go with a newer package and see if it wfm.