[SOLVED] [redhat enterprise server 4]Apache and SELinux

Wim Sturkenboom · 02-09-2009, 01:19 AM

Moderator note: this might be in a completely inappropriate forum. If so, please move.

Someone asked me to have a look at a RHEL ES 4 server. The original problem description was that "apache does not want to serve text files". After I proved them wrong, the problem is that a browser receives a 403 error when one specific file is requested.

SELinux seems to cause the problem.

error

Code:

Feb  9 08:23:15 localhost kernel: audit(1234160595.716:0): avc:  denied  { getattr } for  pid=862 exe=/usr/sbin/httpd path=/var/www/html/iptvo.txt dev=dm-0 ino=507796 scontext=user_u:system_r:httpd_t tcontext=root:object_r:var_t tclass=file

dir listing

Code:

[wim@localhost html]$ ls -l *.txt
-rw-r--r--  1 root root 44226 Feb  6 13:55 iplab.txt
-rw-r--r--  1 root root 46050 Feb  6 14:48 iptvo2.txt
-rw-r--r--  1 root root 46050 Jan 15 15:14 iptvo.txt
[wim@localhost html]$

/etc/selinux/config

Code:

SELINUX=enforcing
SELINUXTYPE=targeted

What has been done:

other text files work (checked permissions)
tried to find something that refers to iptvo.txt in the apache config
grepped files in /etc/selinux/targeted for references to txt and iptvo
read up on SELinux, but could not find what I was looking for

I'm a bit reluctant at this moment to simply rename the file (copying the file to iptvo2.txt and requesting that file does not show the issue) as it might solve the issue without me understanding what is happening

Can somebody explain and point me in the right direction to solve the issue?

PS I'm not familiar with SELinux at all (work with Slackware servers normally).

unSpawn · 02-09-2009, 06:21 PM

Try 'ls -lZ *.txt' instead? If other entities in that dir get served OK you prolly spot the difference...

I think "Feb 9 08:23:15 localhost kernel: audit(1234160595.716:0): avc: denied { getattr } for pid=862 exe=/usr/sbin/httpd path=/var/www/html/iptvo.txt dev=dm-0 ino=507796 scontext=user_u:system_r:httpd_t tcontext=root

bject_r:var_t tclass=file" loosely translates as "(the kernel) denied (a process with) context httpd_t (to) { getattr } (a) file (having) context var_t". Running any sealert messages or AVC through 'audit2allow' should return a line that could be expressed as

Code:

module myFirstLocalPolicyModule 0.1;

require {
	type httpd_t;
	type var_t;
	class file { read getattr };
}

allow httpd_t var_t:file getattr;

in policy language if you need to tweak a local policy, but it would be smarter (wrt consistency) to 'chcon' the file to the context of the other files in that dir. Since they're all webserver content that would be "httpd_sys_content_t".

Wim Sturkenboom · 02-09-2009, 10:00 PM

Thanks unSpawn for the tip on ls -lZ as well as the command to change the context.

As reference for others

Code:

[root@localhost html]# ls -lZ *.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iplab.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iptvo2.txt
-rw-r--r--  root     root     root:object_r:var_t              iptvo.txt
[root@localhost html]#

Code:

[root@localhost html]# chcon root:object_r:httpd_sys_content_t iptvo.txt
[root@localhost html]# ls -lZ *.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iplab.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iptvo2.txt
-rw-r--r--  root     root     root:object_r:httpd_sys_content_t iptvo.txt
[root@localhost html]#