Description of problem: I am testing Fedora 18 beta. I have successfully configured a server and a client with FreeIPA 3.0. I can add an Apache virtual host for WebDAV and retrieve documents with Kerberos authentication. But I can not save documents unless I disable SELinux enforcement. Version-Release number of selected component (if applicable): Fedora 18 beta with all updates as of Dec 3 @ 8:00 CDT How reproducible: consistent Steps to Reproduce: 1. Configure a directory on the server for the document root mkdir /home/apache mkdir /home/apache/test chmod -R 770 /home/apache chown -R apache:apache /home/apache semanage fcontext \ --add \ --type httpd_sys_content_t \ '/home/apache(/.*)?' restorecon -r /home/apache 2. Configure the virtual host on the server <VirtualHost *:80> ServerName dav.hunter.org DocumentRoot /home/apache/test DavLockDB /var/lib/dav/DavLock <Directory "/home/apache/test"> Dav On ForceType text/plain AuthType Kerberos AuthName "Kerberos Login" KrbServiceName HTTP KrbAuthRealms HUNTER.ORG Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on KrbConstrainedDelegation on Require valid-user </Directory> </VirtualHost> 3. Try to save a document from the client [dean@client18 ~]$ cadaver http://dav.hunter.org Authentication required for Kerberos Login on server `dav.hunter.org': Username: dean Password: dav:/> put Recipe.html Actual results: 1. cadaver reports: dav:/> put Recipe.html Uploading Recipe.html to `/Recipe.html': Progress: [=============================>] 100.0% of 1768 bytes failed: 403 Forbidden dav:/> 2. /etc/httpd/logs/error_log reports: [Mon Dec 03 14:01:28.307140 2012] [dav:error] [pid 15709] [client 192.168.1.105:46969] Unable to PUT new contents for /Recipe.html. [403, #0] [Mon Dec 03 14:01:28.307179 2012] [dav:error] [pid 15709] (13)Permission denied: [client 192.168.1.105:46969] An error occurred while opening a resource. [500, #0] Expected results: 1. cadaver reports: dav:/> put Recipe.html Uploading Recipe.html to `/Recipe.html': Progress: [=============================>] 100.0% of 1768 bytes succeeded. dav:/> 2. /etc/httpd/logs/error_log no errors Additional info: [root@server ~]# ls -dlZ /home/apache drwxrwx---. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 /home/apache [root@server ~]# ls -dlZ /home/apache/test drwxrwx---. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 /home/apache/test [root@server ~]# ls -dlZ /home/apache/test/Recipe.html -rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 /home/apache/test/Recipe.html [root@server ~]#
What does # ausearch -m avc
I am concerned that the time stamps do not match the Apache error log, but the content of the messages seems to match: ---- time->Mon Dec 3 14:07:33 2012 type=SYSCALL msg=audit(1354565253.949:725): arch=c000003e syscall=2 success=yes exit=21 a0=7f0f7494bd50 a1=800c1 a2=1b6 a3=6 items=0 ppid=15851 pid=15857 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354565253.949:725): avc: denied { write } for pid=15857 comm="httpd" path="/home/apache/test/.davfs.tmp1fb5d1" dev="dm-2" ino=131075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1354565253.949:725): avc: denied { create } for pid=15857 comm="httpd" name=".davfs.tmp1fb5d1" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1354565253.949:725): avc: denied { add_name } for pid=15857 comm="httpd" name=".davfs.tmp1fb5d1" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=AVC msg=audit(1354565253.949:725): avc: denied { write } for pid=15857 comm="httpd" name="test" dev="dm-2" ino=131074 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir ---- time->Mon Dec 3 14:07:33 2012 type=SYSCALL msg=audit(1354565253.949:726): arch=c000003e syscall=82 success=yes exit=0 a0=7f0f7494bd50 a1=7f0f7494b9c0 a2=7f0f74a0ce78 a3=7ffff6edd080 items=0 ppid=15851 pid=15857 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354565253.949:726): avc: denied { unlink } for pid=15857 comm="httpd" name="Recipe.html" dev="dm-2" ino=131076 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1354565253.949:726): avc: denied { rename } for pid=15857 comm="httpd" name=".davfs.tmp1fb5d1" dev="dm-2" ino=131075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file type=AVC msg=audit(1354565253.949:726): avc: denied { remove_name } for pid=15857 comm="httpd" name=".davfs.tmp1fb5d1" dev="dm-2" ino=131075 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir ----
I just reproduced the error and now I find the time stamps match: [dean@client18 ~]$ cadaver http://dav.hunter.org Authentication required for Kerberos Login on server `dav.hunter.org': Username: dean Password: dav:/> get Recipe.html Downloading `/Recipe.html' to Recipe.html: Progress: [=============================>] 100.0% of 1768 bytes succeeded. dav:/> put Recipe.html Uploading Recipe.html to `/Recipe.html': Progress: [=============================>] 100.0% of 1768 bytes failed: 403 Forbidden dav:/> exit Connection to `dav.hunter.org' closed. [dean@client18 ~]$ [root@server ~]# tail /etc/httpd/logs/error_log ... [Tue Dec 04 09:37:22.281506 2012] [dav:error] [pid 16462] [client 192.168.1.105:51400] Unable to PUT new contents for /Recipe.html. [403, #0] [Tue Dec 04 09:37:22.281548 2012] [dav:error] [pid 16462] (13)Permission denied: [client 192.168.1.105:51400] An error occurred while opening a resource. [500, #0] [root@server ~]# ausearch -m avc -ts recent ---- time->Tue Dec 4 09:37:22 2012 type=SYSCALL msg=audit(1354635442.279:958): arch=c000003e syscall=2 success=no exit=-13 a0=7f0f7494bd50 a1=800c1 a2=1b6 a3=6 items=0 ppid=15851 pid=16462 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1354635442.279:958): avc: denied { write } for pid=16462 comm="httpd" name="test" dev="dm-2" ino=131074 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir [root@server ~]#
Today I am working my way through the Red Hat Enterprise Linux 6 Security-Enhanced Linux User Guide Edition 3, Chapter 8 Troubleshooting. [root@server ~]# grep "SELinux is preventing" /var/log/messages | grep 09:37 Dec 4 09:37:22 server setroubleshoot: SELinux is preventing /usr/sbin/httpd from write access on the directory /home/apache/test. For complete SELinux messages. run sealert -l 691ec96c-4903-45f3-b99b-effb986d157f [root@server ~]# sealert -l 691ec96c-4903-45f3-b99b-effb986d157f SELinux is preventing /usr/sbin/httpd from write access on the directory /home/apache/test. ***** Plugin httpd_write_content (92.2 confidence) suggests **************** If you want to allow httpd to have write access on the test directory Then you need to change the label on '/home/apache/test' Do # semanage fcontext -a -t httpd_sys_rw_content_t '/home/apache/test' # restorecon -v '/home/apache/test' ***** Plugin catchall_boolean (7.83 confidence) suggests ******************* If you want to unify HTTPD handling of all content files. Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.You can read 'httpd_selinux' man page for more details. Do setsebool -P httpd_unified 1 ***** Plugin catchall (1.41 confidence) suggests *************************** If you believe that httpd should be allowed write access on the test directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep httpd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:httpd_sys_content_t:s0 Target Objects /home/apache/test [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host server Source RPM Packages httpd-2.4.3-12.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-59.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name server.hunter.org Platform Linux server.hunter.org 3.6.7-5.fc18.x86_64 #1 SMP Tue Nov 20 19:40:08 UTC 2012 x86_64 x86_64 Alert Count 19 First Seen 2012-12-03 12:34:37 CST Last Seen 2012-12-04 09:37:22 CST Local ID 691ec96c-4903-45f3-b99b-effb986d157f Raw Audit Messages type=AVC msg=audit(1354635442.279:958): avc: denied { write } for pid=16462 comm="httpd" name="test" dev="dm-2" ino=131074 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1354635442.279:958): arch=x86_64 syscall=open success=no exit=EACCES a0=7f0f7494bd50 a1=800c1 a2=1b6 a3=6 items=0 ppid=15851 pid=16462 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,httpd_sys_content_t,dir,write audit2allow #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:dir write; audit2allow -R #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_sys_content_t:dir write; [root@server ~]#
SELinux is preventing /usr/sbin/httpd from write access on the directory /home/apache/test. ***** Plugin httpd_write_content (92.2 confidence) suggests **************** If you want to allow httpd to have write access on the test directory Then you need to change the label on '/home/apache/test' Do # semanage fcontext -a -t httpd_sys_rw_content_t '/home/apache/test' # restorecon -v '/home/apache/test' Changing the file context as advised by sealert (8.1 What Happens when Access is Denied) and confirmed by httpd_selinux(8) (8.3.3 Manual Pages for Services) has resolved the problem. Either httpd_sys_rw_content_t or httpd_user_rw_content_t will resolve the problem. How do I decide between the two file contexts?
Now that I know what to look for a Google search through several blogs found Red Hat Enterprise Linux 6.4 Beta Managing Confined Services Guide to configuring services under control of SELinux Edition 4, Chapter 3 The Apache HTTP Server. May I request expanding this chapter to include a discussion of the file contexts needed for directories used with mod_dav, mod_dav_fs, etc.? Especially the content and lock directories!
In the user home directories always prefer the "httpd user content types": # seinfo -t | grep httpd | grep user httpd_user_htaccess_t httpd_user_script_exec_t httpd_user_ra_content_t httpd_user_rw_content_t httpd_user_script_t httpd_user_content_t
Also look at man httpd_selinux