Andrew Z wrote:
Daniel J Walsh wrote:
Andrew Z wrote:
Is there a SELinux policy for use with WebDAV? I have the WebDAV
working correctly with Apache and Cadaver, but SELinux prevents
writing. I have noticed that there are at least two issues. First,
SELinux prevents Apache from writing to httpd_sys_content_t.
Second, Apache needs to update its locking database. I don't want
to allow write access to all httpd_sys_content_t.
type=AVC msg=audit(1126138296.843:56): avc: denied { write } for
pid=3525 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:var_lib_t tclass=file
type=SYSCALL msg=audit(1126138296.843:56): arch=40000003 syscall=5
success=yes exit=11 a0=8675e00 a1=42 a2=1b6 a3=886a6c0 items=1
pid=3525 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1126138296.843:56): cwd="/"
type=PATH msg=audit(1126138296.843:56): item=0
name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07
mode=040700 ouid=48 ogid=48 rdev=00:00
type=AVC msg=audit(1126138520.634:58): avc: denied { write } for
pid=3526 comm="httpd" name="lockdb.dir" dev=hda7 ino=1011851
scontext=system_u:system_r:httpd_t
tcontext=system_u:object_r:var_lib_t tclass=file
type=SYSCALL msg=audit(1126138520.634:58): arch=40000003 syscall=5
success=yes exit=11 a0=867dc20 a1=42 a2=1b6 a3=867fbd8 items=1
pid=3526 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1126138520.634:58): cwd="/"
type=PATH msg=audit(1126138520.634:58): item=0
name="/var/lib/dav/lockdb.dir" flags=310 inode=1006106 dev=03:07
mode=040700 ouid=48 ogid=48 rdev=00:00
try
chcon -R -t httpd_sys_script_rw_t /var/lib/dav
Daniel,
Thank you, that worked nicely.
Is there also a type for writable directories that solves the next
problem? This is creating and writing a file to bar to a directory
/var/www/html/dav:
type=AVC msg=audit(1126183941.896:260): avc: denied { write } for
pid=20312 comm="httpd" name="dav" dev=hda7 ino=1011845
scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=AVC msg=audit(1126183941.896:260): avc: denied { add_name }
for pid=20312 comm="httpd" name="a" scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=dir
type=AVC msg=audit(1126183941.896:260): avc: denied { create } for
pid=20312 comm="httpd" name="a" scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=file
type=SYSCALL msg=audit(1126183941.896:260): arch=40000003 syscall=5
success=yes exit=14 a0=94dca08 a1=241 a2=1b6 a3=94dce58 items=1
pid=20312 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1126183941.896:260): cwd="/"
type=PATH msg=audit(1126183941.896:260): item=0
name="/var/www/html/dav/foo" flags=310 inode=1011845 dev=03:07
mode=040775 ouid=500 ogid=48 rdev=00:00
type=AVC msg=audit(1126183941.896:261): avc: denied { write } for
pid=20312 comm="httpd" name="a" dev=hda7 ino=1011998
scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=file
type=SYSCALL msg=audit(1126183941.896:261): arch=40000003 syscall=4
success=yes exit=28 a0=e a1=94ddb40 a2=1c a3=94dce58 items=0 pid=20312
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=AVC_PATH msg=audit(1126183941.896:261):
path="/var/www/html/dav/foo"
Andrew
I would try the same thing.
chcon -R -t httpd_sys_script_rw_t /var/www/html/dav
--
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
