LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-03-2008, 08:22 AM   #1
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Rep: Reputation: 15
Question Annoying AVC Denial of Home Public Directory that I want to serve.


Hello,
I wish to use Apache to list out the contents of /home/*/Public and have everything set up under Apache. However, I keep on getting an AVC denial message whenever I try to do localhost/~username/

Here are the details of the denial:


Code:
Summary:

SELinux is preventing the httpd from using potentially mislabeled files
(/home/ashesh/Public).

Detailed Description:

SELinux has denied httpd access to potentially mislabeled file(s)
(/home/ashesh/Public). This means that SELinux will not allow httpd to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want httpd to access this files, you need to relabel them using
restorecon -v '/home/ashesh/Public'. You might want to relabel the entire
directory using restorecon -R -v '/home/ashesh/Public'.

Additional Information:

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:user_home_t:s0
Target Objects                /home/ashesh/Public [ dir ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          india
Source RPM Packages           httpd-2.2.8-3
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-72.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     india
Platform                      Linux india 2.6.25.9-76.fc9.i686 #1 SMP Fri Jun 27
                              16:14:35 EDT 2008 i686 i686
Alert Count                   24
First Seen                    Thu 03 Jul 2008 06:23:32 PM IST
Last Seen                     Thu 03 Jul 2008 06:48:12 PM IST
Local ID                      c6fc378e-c98c-4905-ae58-8838896c019a
Line Numbers                  

Raw Audit Messages            

host=india type=AVC msg=audit(1215091092.896:173): avc:  denied  { getattr } for  pid=9136 comm="httpd" path="/home/ashesh/Public" dev=dm-0 ino=141283 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=dir

host=india type=SYSCALL msg=audit(1215091092.896:173): arch=40000003 syscall=196 success=no exit=-13 a0=b8299b00 a1=bf85346c a2=555ff4 a3=2008171 items=0 ppid=9132 pid=9136 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
I do not want to change the policy to permissive because I want a hardened server. I have also done chmod 755 for the directory many times, but it does not work. The permissions for my home directory are 711, and I am more or less certain that thats not the problem.

I have also set homedirs true under SELinux.
 
Old 07-03-2008, 09:20 AM   #2
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
use audit2allow to fix that, httpd needs to be able to get the attributes of the files in that path.
 
Old 07-03-2008, 09:53 AM   #3
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by datopdog View Post
use audit2allow to fix that, httpd needs to be able to get the attributes of the files in that path.
But how? I'm sorry, but I have no experience with using audit2allow. I tried the man page, but it didn't prove to be too helpful.

Will audit2allow /home/<user>Public do the trick?

I tried audit2allow -a as root, but it didn't help. I'm still getting the same messages over and over again.

Last edited by algogeek; 07-03-2008 at 09:56 AM.
 
Old 07-03-2008, 10:15 AM   #4
datopdog
Member
 
Registered: Feb 2008
Location: JHB South Africa
Distribution: Centos, Kubuntu, Cross LFS, OpenSolaris
Posts: 806

Rep: Reputation: 41
You possibly need to read up abit on selinux what i am providing is just guideline, if you do not you could compromise you selinux policy

Okay, first you need to check what privilages are missing right now

Code:
grep httpd /var/log/audit/audit.log | audit2allow -R
Double check what privilages will be added to httpd, if you feel that no harm can be caused then

Code:
grep httpd /var/log/audit/audit.log | audit2allow -M localhttpd
This will create the module files in the pwd, you can then load using

Code:
semodule -i localhttpd.pp
Please note that you may need to go thru this several times as you may find that after you have added the ability to getattr httpd may require more permissions.
 
Old 07-04-2008, 03:47 AM   #5
algogeek
Member
 
Registered: Apr 2008
Distribution: Fedora 9, Ubuntu 8.04, Ubuntu 8.04 Server
Posts: 103

Original Poster
Rep: Reputation: 15
Thank you for the suggestions. I browsed the web about this issue and found out that this was a context issue.

Things are working perfectly now, and for me,
Quote:
chcon -t httpd_sys_content_t <folder_name>/
did the trick. This was not a permissions issue at all. SELinux required the files and folders to be properly labelled so that httpd could read from them.

Thanks.
 
  


Reply

Tags
apache, avc, fedora, permission


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
using one machine to serve the home directory and user accounts shishirkotkar Linux - Software 7 05-04-2008 08:42 PM
SELinux AVC denial: Wireless drops instantly or never connects vprice Linux - Wireless Networking 8 05-04-2008 08:15 AM
AVC Denial alan_ri Fedora 4 03-31-2008 02:25 PM
Nagios - SELinux AVC Denial davethemackem Linux - Software 1 09-26-2007 03:30 PM
ssh public key authentication to different remote home directory shawn_t Linux - Networking 2 03-20-2005 03:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration