Bug 783836 - SELinux boolean httpd_enable_homedirs (and httpd_read_user_content) doesn't allow access to Music (audio_home_t)
Summary: SELinux boolean httpd_enable_homedirs (and httpd_read_user_content) doesn't a...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2012-01-22 17:42 UTC by John Thacker
Modified: 2012-01-31 22:03 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-74.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-01-31 22:03:10 UTC

Attachments (Terms of Use)

Description John Thacker 2012-01-22 17:42:35 UTC
Description of problem:
The SELinux boolean httpd_enable_homedirs (and combined with httpd_read_user_content) is supposed to allow access to user home directories.  It allows access to context user_home_t, but it doesn't allow access to context audio_home_t, which is the context of ~/Music.  There are plenty of reasons why users may want to make their Music directories (or a symbolic link to them) visible under Apache, but it is impossible.  httpd_enable_homedirs should also allow access to audio_home_t labeled files and dirs.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure Apache httpd.conf to allow UserDir access and follow Symlinks.
2. ln -s ~/Music ~/public_html/Music
3. setsebool -P httpd_enable_homedirs 1 httpd_read_user_content 1
4. chcon -R -t httpd_sys_content_t ~/public_html
5. Browse to "~/"
Actual results:
Directory listing of all files in public_html, including symlinks to locations in home directory, *except* for Music.  The following entry in /var/log/audit/audit.log:

type=AVC msg=audit(1327252544.527:1518): avc:  denied  { read } for  pid=903 comm="httpd" name="Music" dev=dm-2 ino=16613395 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:audio_home_t:s0 tclass=dir

Expected results:
Music home directory should also be listed.

Additional info:
Yes, I suppose I can put my music somewhere else other than Music/, but it seems like a waste to have a special SELinux context that doesn't do what I want for music.  If I want httpd to have access to user home directories, then surely I want it to be able to access audio_home_t as well as user_home_t labeled filed.

Comment 1 Miroslav Grepl 2012-01-23 12:24:16 UTC
I added a fix to Rawhide. Will backport.

Comment 2 Fedora Update System 2012-01-26 18:16:39 UTC
selinux-policy-3.10.0-74.fc16 has been submitted as an update for Fedora 16.

Comment 3 John Thacker 2012-01-27 03:53:37 UTC
Thanks, I tried the submitted package and it fixed the problem.

Comment 4 Miroslav Grepl 2012-01-27 06:23:53 UTC
Could you update karma, please.

Comment 5 John Thacker 2012-01-27 12:46:25 UTC
I'd love to, only I can't remember my Fedora account username (though I know the associated email address).  The "forgot password" link requires that you know both your email address *and* username in order to reset the password.  Unlike other websites, there's no option for retrieving username based on email address.  It won't let me create another account for my email address because that email address is already in use.

I know my bugzilla account, obviously, since I've used that more.

If I comment on the update without logging in, it won't get real karma.

My apologies.

Comment 6 Fedora Update System 2012-01-28 03:29:41 UTC
Package selinux-policy-3.10.0-74.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-74.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-01-31 22:03:10 UTC
selinux-policy-3.10.0-74.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.