Re: SELinux & apache/httpd access to /home/*/www

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
What are the AVC messages you are seeing in the /var/log/messages file.

when starting httpd, it just fails, there are no AVC messages in /var/log, but for testing purpose I set DocumentRoot to the / root of the server, which worked, then i tried going to /home, which didnt work, I couldnt open /home/xxxxxx or /home/xxxxxx/www.


These are the AVC's the server produced from starting the server and accessing those folders:

Sep 17 13:54:05 DONut kernel: audit(1095422045.364:0): avc: denied { getattr } for pid=1956 exe=/usr/sbin/httpd path=/misc dev=hda2 ino=7487489 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.365:0): avc: denied { getattr } for pid=1956 exe=/usr/sbin/httpd path=/boot dev=hda1 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:boot_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.365:0): avc: denied { getattr } for pid=1956 exe=/usr/sbin/httpd path=/backup dev=hda3 ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.368:0): avc: denied { getattr } for pid=1956 exe=/usr/sbin/httpd path=/lost+found dev=hda2 ino=11 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t tclass=dir
Sep 17 13:54:05 DONut kernel: audit(1095422045.377:0): avc: denied { getattr } for pid=1956 exe=/usr/sbin/httpd path=/selinux dev=selinuxfs ino=760 scontext=root:system_r:httpd_t tcontext=system_u:object_r:security_t tclass=dir
Sep 17 13:54:17 DONut kernel: audit(1095422057.529:0): avc: denied { read } for pid=1959 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t tclass=dir
Sep 17 13:54:43 DONut kernel: audit(1095422083.486:0): avc: denied { read } for pid=1963 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t tclass=dir
Sep 17 13:54:46 DONut kernel: audit(1095422086.425:0): avc: denied { read } for pid=1958 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t tclass=dir


I'm not sure why it accesses /lost+found /backup /boot or /misc, it certainly shouldnt be

for some reason the error messages for /home and /home/xxxxxx were different.

/home produces a standard 403 Forbidden error, while /home/xxxxxx and /home/xxxxxx/www produces a 403 + the added text "Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request."

(for this test i disabled all virtual domains, and just had the main server in /. when moved to /home it still produced 403)

Yes system-config-securitylevel, you need to upgrade to a newer version.
But you can edit the booleans file in /etc/selinux/targeted/booleans if you like and add a boolean
http_disable_trans=1, then type "setsebool http_disable_trans 1". Stop and restart the http service.


Get the AVC messages and we can get it working. audit2allow -i /var/log/messages


allow httpd_t boot_t:dir { getattr }; allow httpd_t default_t:dir { getattr }; allow httpd_t file_t:dir { getattr }; allow httpd_t home_root_t:dir { read }; allow httpd_t security_t:dir { getattr };


here are the AVC errors from when DocumentRoot pointed to /home (again there are no AVC errors when pointing to /home/xxxxxx/www


Sep 17 14:09:44 DONut kernel: audit(1095422984.079:0): avc: denied { read } for pid=2221 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t tclass=dir
Sep 17 14:09:45 DONut kernel: audit(1095422985.732:0): avc: denied { read } for pid=2222 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t tclass=dir
Sep 17 14:10:00 DONut kernel: audit(1095423000.418:0): avc: denied { read } for pid=2223 exe=/usr/sbin/httpd name=home dev=hda2 ino=884737 scontext=root:system_r:httpd_t tcontext=system_u:object_r:home_root_t tclass=dir


could it be this one missing?

allow httpd_t home_root_t:dir { read };


Regards Kris

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux