Hi.
I'm running CentOS 6. I've httpd running which accesses a file but it results in access denied with the following --
type=AVC msg=audit(1410680693.979:40): avc: denied { read } for pid=987 comm="httpd" name="README.txt" dev=dm-0 ino=12573 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
However,
sesearch -A | grep 'allow httpd_t' | grep ': file' | grep user_home_t allow httpd_t user_home_t : file { ioctl read getattr lock open } ; allow httpd_t user_home_t : file { ioctl read getattr lock open } ;
Add a -C option to the sesearch, it will show you the booleans required for that access. It will probably show a capital D at the beginning of the line, indicating the boolean is disabled.
sesearch -A -s httpd_t -t user_home_t -p read -c file -C Found 1 semantic av rules: DT allow httpd_t user_home_type : file { ioctl read getattr lock open } ; [ httpd_read_user_content ]
If you want to allow httpd_t to read all content in the users homedir you can turn on the httpd_read_user_content boolean.
If you want to allow it to read just a certain directories/files, recommended, you should change the label on the directory. BTW ~/public_html and ~/www already have the correct labelling.
BTW, There will be a blog about this out tomorrow.
On 09/14/2014 03:51 AM, dE wrote:
Hi.
I'm running CentOS 6. I've httpd running which accesses a file but it results in access denied with the following --
type=AVC msg=audit(1410680693.979:40): avc: denied { read } for pid=987 comm="httpd" name="README.txt" dev=dm-0 ino=12573 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
However,
sesearch -A | grep 'allow httpd_t' | grep ': file' | grep user_home_t allow httpd_t user_home_t : file { ioctl read getattr lock open } ; allow httpd_t user_home_t : file { ioctl read getattr lock open } ;
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux@lists.fedoraproject.org