Annoying AVC Denial of Home Public Directory that I want to serve.

algogeek · 07-03-2008, 09:22 AM

Hello,
I wish to use Apache to list out the contents of /home/*/Public and have everything set up under Apache. However, I keep on getting an AVC denial message whenever I try to do localhost/~username/

Here are the details of the denial:

Code:

Summary:

SELinux is preventing the httpd from using potentially mislabeled files
(/home/ashesh/Public).

Detailed Description:

SELinux has denied httpd access to potentially mislabeled file(s)
(/home/ashesh/Public). This means that SELinux will not allow httpd to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want httpd to access this files, you need to relabel them using
restorecon -v '/home/ashesh/Public'. You might want to relabel the entire
directory using restorecon -R -v '/home/ashesh/Public'.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/ashesh/Public [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          india
Source RPM Packages           httpd-2.2.8-3
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-72.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     india
Platform                      Linux india 2.6.25.9-76.fc9.i686 #1 SMP Fri Jun 27
                              16:14:35 EDT 2008 i686 i686
Alert Count                   24
First Seen                    Thu 03 Jul 2008 06:23:32 PM IST
Last Seen                     Thu 03 Jul 2008 06:48:12 PM IST
Local ID                      c6fc378e-c98c-4905-ae58-8838896c019a
Line Numbers                  

Raw Audit Messages            

host=india type=AVC msg=audit(1215091092.896:173): avc:  denied  { getattr } for  pid=9136 comm="httpd" path="/home/ashesh/Public" dev=dm-0 ino=141283 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir

host=india type=SYSCALL msg=audit(1215091092.896:173): arch=40000003 syscall=196 success=no exit=-13 a0=b8299b00 a1=bf85346c a2=555ff4 a3=2008171 items=0 ppid=9132 pid=9136 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

I do not want to change the policy to permissive because I want a hardened server. I have also done chmod 755 for the directory many times, but it does not work. The permissions for my home directory are 711, and I am more or less certain that thats not the problem.

I have also set homedirs true under SELinux.

datopdog · 07-03-2008, 10:20 AM

use audit2allow to fix that, httpd needs to be able to get the attributes of the files in that path.

algogeek · 07-03-2008, 10:53 AM

Quote:

Originally Posted by datopdog

use audit2allow to fix that, httpd needs to be able to get the attributes of the files in that path.

But how? I'm sorry, but I have no experience with using audit2allow. I tried the man page, but it didn't prove to be too helpful.

Will audit2allow /home/<user>Public do the trick?

I tried audit2allow -a as root, but it didn't help. I'm still getting the same messages over and over again.

datopdog · 07-03-2008, 11:15 AM

You possibly need to read up abit on selinux what i am providing is just guideline, if you do not you could compromise you selinux policy

Okay, first you need to check what privilages are missing right now

Code:

grep httpd /var/log/audit/audit.log | audit2allow -R

Double check what privilages will be added to httpd, if you feel that no harm can be caused then

Code:

grep httpd /var/log/audit/audit.log | audit2allow -M localhttpd

This will create the module files in the pwd, you can then load using

Code:

semodule -i localhttpd.pp

Please note that you may need to go thru this several times as you may find that after you have added the ability to getattr httpd may require more permissions.

algogeek · 07-04-2008, 04:47 AM

Thank you for the suggestions. I browsed the web about this issue and found out that this was a context issue.

Things are working perfectly now, and for me,

Quote:

chcon -t httpd_sys_content_t <folder_name>/

did the trick. This was not a permissions issue at all. SELinux required the files and folders to be properly labelled so that httpd could read from them.

Thanks.