883129 – SELinux enforcement causes mod_dav to fail

Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.

Bug 883129 - SELinux enforcement causes mod_dav to fail

Summary: SELinux enforcement causes mod_dav to fail

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-12-03 20:39 UTC by Dean Hunter
Modified:	2013-01-24 21:58 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-24 21:58:43 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Dean Hunter 2012-12-03 20:39:32 UTC

Description of problem:
I am testing Fedora 18 beta. I have successfully configured a server and a client with FreeIPA 3.0. I can add an Apache virtual host for WebDAV and retrieve documents with Kerberos authentication. But I can not save documents unless I disable SELinux enforcement.

Version-Release number of selected component (if applicable):
Fedora 18 beta with all updates as of Dec 3 @ 8:00 CDT

How reproducible:
consistent

Steps to Reproduce:

1. Configure a directory on the server for the document root

  mkdir /home/apache
  mkdir /home/apache/test

  chmod -R 770 /home/apache
  chown -R apache:apache /home/apache

  semanage fcontext \
    --add \
    --type httpd_sys_content_t \
    '/home/apache(/.*)?'
  restorecon -r /home/apache

2. Configure the virtual host on the server

<VirtualHost *:80>
    ServerName dav.hunter.org
    DocumentRoot /home/apache/test
    DavLockDB /var/lib/dav/DavLock

    <Directory "/home/apache/test">
        Dav On
        ForceType text/plain

        AuthType Kerberos
        AuthName "Kerberos Login"

        KrbServiceName HTTP
        KrbAuthRealms HUNTER.ORG
        Krb5KeyTab /etc/httpd/conf/ipa.keytab
        KrbSaveCredentials on
        KrbConstrainedDelegation on

        Require valid-user
    </Directory>
</VirtualHost>

3. Try to save a document from the client

[dean@client18 ~]$ cadaver http://dav.hunter.org
Authentication required for Kerberos Login on server `dav.hunter.org':
Username: dean
Password: 
dav:/> put Recipe.html


Actual results:

1. cadaver reports:
dav:/> put Recipe.html
Uploading Recipe.html to `/Recipe.html':
Progress: [=============================>] 100.0% of 1768 bytes failed:
403 Forbidden
dav:/>

2. /etc/httpd/logs/error_log reports:
[Mon Dec 03 14:01:28.307140 2012] [dav:error] [pid 15709] [client 192.168.1.105:46969] Unable to PUT new contents for /Recipe.html.  [403, #0]
[Mon Dec 03 14:01:28.307179 2012] [dav:error] [pid 15709] (13)Permission denied: [client 192.168.1.105:46969] An error occurred while opening a resource.  [500, #0]


Expected results:

1. cadaver reports:
dav:/> put Recipe.html
Uploading Recipe.html to `/Recipe.html':
Progress: [=============================>] 100.0% of 1768 bytes succeeded.
dav:/> 

2. /etc/httpd/logs/error_log
no errors


Additional info:

[root@server ~]# ls -dlZ /home/apache
drwxrwx---. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 /home/apache
[root@server ~]# ls -dlZ /home/apache/test
drwxrwx---. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 /home/apache/test
[root@server ~]# ls -dlZ /home/apache/test/Recipe.html
-rw-r--r--. apache apache system_u:object_r:httpd_sys_content_t:s0 /home/apache/test/Recipe.html
[root@server ~]#

Comment 1 Miroslav Grepl 2012-12-04 15:00:29 UTC

What does

# ausearch -m avc

Comment 2 Dean Hunter 2012-12-04 15:28:06 UTC

I am concerned that the time stamps do not match the Apache error log, but the content of the messages seems to match:

----
time->Mon Dec  3 14:07:33 2012
type=SYSCALL msg=audit(1354565253.949:725): arch=c000003e syscall=2 success=yes exit=21 a0=7f0f7494bd50 a1=800c1 a2=1b6 a3=6 items=0 ppid=15851 pid=15857 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354565253.949:725): avc:  denied  { write } for  pid=15857 comm="httpd" path="/home/apache/test/.davfs.tmp1fb5d1" dev="dm-2" ino=131075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1354565253.949:725): avc:  denied  { create } for  pid=15857 comm="httpd" name=".davfs.tmp1fb5d1" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1354565253.949:725): avc:  denied  { add_name } for  pid=15857 comm="httpd" name=".davfs.tmp1fb5d1" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1354565253.949:725): avc:  denied  { write } for  pid=15857 comm="httpd" name="test" dev="dm-2" ino=131074 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
----
time->Mon Dec  3 14:07:33 2012
type=SYSCALL msg=audit(1354565253.949:726): arch=c000003e syscall=82 success=yes exit=0 a0=7f0f7494bd50 a1=7f0f7494b9c0 a2=7f0f74a0ce78 a3=7ffff6edd080 items=0 ppid=15851 pid=15857 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354565253.949:726): avc:  denied  { unlink } for  pid=15857 comm="httpd" name="Recipe.html" dev="dm-2" ino=131076 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1354565253.949:726): avc:  denied  { rename } for  pid=15857 comm="httpd" name=".davfs.tmp1fb5d1" dev="dm-2" ino=131075 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1354565253.949:726): avc:  denied  { remove_name } for  pid=15857 comm="httpd" name=".davfs.tmp1fb5d1" dev="dm-2" ino=131075 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
----

Comment 3 Dean Hunter 2012-12-04 15:42:59 UTC

I just reproduced the error and now I find the time stamps match:

[dean@client18 ~]$ cadaver http://dav.hunter.org
Authentication required for Kerberos Login on server `dav.hunter.org':
Username: dean
Password: 
dav:/> get Recipe.html
Downloading `/Recipe.html' to Recipe.html:
Progress: [=============================>] 100.0% of 1768 bytes succeeded.
dav:/> put Recipe.html
Uploading Recipe.html to `/Recipe.html':
Progress: [=============================>] 100.0% of 1768 bytes failed:
403 Forbidden
dav:/> exit
Connection to `dav.hunter.org' closed.
[dean@client18 ~]$ 


[root@server ~]# tail /etc/httpd/logs/error_log
...
[Tue Dec 04 09:37:22.281506 2012] [dav:error] [pid 16462] [client 192.168.1.105:51400] Unable to PUT new contents for /Recipe.html.  [403, #0]
[Tue Dec 04 09:37:22.281548 2012] [dav:error] [pid 16462] (13)Permission denied: [client 192.168.1.105:51400] An error occurred while opening a resource.  [500, #0]
[root@server ~]# ausearch -m avc -ts recent
----
time->Tue Dec  4 09:37:22 2012
type=SYSCALL msg=audit(1354635442.279:958): arch=c000003e syscall=2 success=no exit=-13 a0=7f0f7494bd50 a1=800c1 a2=1b6 a3=6 items=0 ppid=15851 pid=16462 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354635442.279:958): avc:  denied  { write } for  pid=16462 comm="httpd" name="test" dev="dm-2" ino=131074 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
[root@server ~]#

Comment 4 Dean Hunter 2012-12-04 16:06:12 UTC

Today I am working my way through the Red Hat Enterprise Linux 6 Security-Enhanced Linux User Guide Edition 3, Chapter 8 Troubleshooting.

[root@server ~]# grep "SELinux is preventing" /var/log/messages | grep 09:37
Dec  4 09:37:22 server setroubleshoot: SELinux is preventing /usr/sbin/httpd from write access on the directory /home/apache/test. For complete SELinux messages. run sealert -l 691ec96c-4903-45f3-b99b-effb986d157f
[root@server ~]# sealert -l 691ec96c-4903-45f3-b99b-effb986d157f
SELinux is preventing /usr/sbin/httpd from write access on the directory /home/apache/test.

*****  Plugin httpd_write_content (92.2 confidence) suggests  ****************

If you want to allow httpd to have write access on the test directory
Then you need to change the label on '/home/apache/test'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t '/home/apache/test'
# restorecon -v '/home/apache/test'

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to unify HTTPD handling of all content files.
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.You can read 'httpd_selinux' man page for more details.
Do
setsebool -P httpd_unified 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that httpd should be allowed write access on the test directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects                /home/apache/test [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          server
Source RPM Packages           httpd-2.4.3-12.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-59.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     server.hunter.org
Platform                      Linux server.hunter.org 3.6.7-5.fc18.x86_64 #1 SMP
                              Tue Nov 20 19:40:08 UTC 2012 x86_64 x86_64
Alert Count                   19
First Seen                    2012-12-03 12:34:37 CST
Last Seen                     2012-12-04 09:37:22 CST
Local ID                      691ec96c-4903-45f3-b99b-effb986d157f

Raw Audit Messages
type=AVC msg=audit(1354635442.279:958): avc:  denied  { write } for  pid=16462 comm="httpd" name="test" dev="dm-2" ino=131074 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir


type=SYSCALL msg=audit(1354635442.279:958): arch=x86_64 syscall=open success=no exit=EACCES a0=7f0f7494bd50 a1=800c1 a2=1b6 a3=6 items=0 ppid=15851 pid=16462 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,httpd_sys_content_t,dir,write

audit2allow

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_sys_content_t:dir write;

audit2allow -R

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_sys_content_t:dir write;


[root@server ~]#

Comment 5 Dean Hunter 2012-12-04 16:54:30 UTC

SELinux is preventing /usr/sbin/httpd from write access on the directory /home/apache/test.

*****  Plugin httpd_write_content (92.2 confidence) suggests  ****************

If you want to allow httpd to have write access on the test directory
Then you need to change the label on '/home/apache/test'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t '/home/apache/test'
# restorecon -v '/home/apache/test'

Changing the file context as advised by sealert (8.1 What Happens when Access is Denied) and confirmed by httpd_selinux(8) (8.3.3 Manual Pages for Services) has resolved the problem. Either httpd_sys_rw_content_t or httpd_user_rw_content_t will resolve the problem. How do I decide between the two file contexts?

Comment 6 Dean Hunter 2012-12-04 18:09:58 UTC

Now that I know what to look for a Google search through several blogs found Red Hat Enterprise Linux 6.4 Beta Managing Confined Services Guide to configuring services under control of SELinux Edition 4, Chapter 3 The Apache HTTP Server. May I request expanding this chapter  to include a discussion of the file contexts needed for directories used with mod_dav, mod_dav_fs, etc.? Especially the content and lock directories!

Comment 7 Dominick Grift 2012-12-04 18:46:17 UTC

In the user home directories always prefer the "httpd user content types":

# seinfo -t | grep httpd | grep user
   httpd_user_htaccess_t
   httpd_user_script_exec_t
   httpd_user_ra_content_t
   httpd_user_rw_content_t
   httpd_user_script_t
   httpd_user_content_t

Comment 8 Daniel Walsh 2012-12-05 21:09:07 UTC

Also look at

man httpd_selinux

Note You need to log in before you can comment on or make changes to this bug.