Hi,
I've just test tested webdav in enforcing mode on Fedora Devel and it doesn't work :
- apache needs rw access on /srv (don't know where the default dav root should be, I put it in srv since its seems the FHS wants this kind of stuff there)
type=AVC msg=audit(1130749513.951:3772): avc: denied { read } for pid=11759 comm="httpd" name="nim" dev=dm-0 ino=1048598 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1130749513.951:3772): arch=c000003e syscall=2 success=no exit=-13 a0=5555558ca410 a1=10800 a2=5555558c7ff8 a3=5555558c58a7 items=1 pid=11759 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
- it also needs rw acces to its default /var/lib/dav/lockdb.dir
type=AVC msg=audit(1130749738.930:3777): avc: denied { write } for pid=11766 comm="httpd" name="lockdb.dir" dev=dm-0 ino=2392524 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1130749738.930:3777): arch=c000003e syscall=2 success=no exit=-13 a0=5555558c7580 a1=42 a2=1b6 a3=3 items=1 pid=11766 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=CWD msg=audit(1130749738.930:3777): cwd="/" type=PATH msg=audit(1130749738.930:3777): item=0 name="/var/lib/dav/lockdb.dir" flags=310 inode=2392223 dev=fd:00 mode=040700 ouid=48 ogid=48 rdev=00:00
On another topic I still have spamassassin procmail problems :
type=CWD msg=audit(1130749836.551:3779): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749836.551:3779): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1130749839.979:3780): avc: denied { execute } for pid=11852 comm="procmail" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1130749839.979:3780): arch=c000003e syscall=59 success=no exit=-13 a0=51c1d1 a1=51c170 a2=51bfc0 a3=51c1d1 items=1 pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail" type=CWD msg=audit(1130749839.979:3780): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749839.979:3780): item=0 name="/usr/bin/spamc" flags=101 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1130749839.983:3781): avc: denied { getattr } for pid=11852 comm="sh" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=filetype=SYSCALL msg=audit(1130749839.983:3781): arch=c000003e syscall=4 success=no exit=-13 a0=6bf780 a1=7fffffefb5c0 a2=7fffffefb5c0 a3=2 items=1 pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="sh" exe="/bin/bash" type=AVC_PATH msg=audit(1130749839.983:3781): path="/usr/bin/spamc" type=CWD msg=audit(1130749839.983:3781): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749839.983:3781): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
Package versions :
selinux-policy-targeted-1.27.2-10 libselinux-1.27.17-1
Regards,
Nicolas Mailhot wrote:
Hi,
I've just test tested webdav in enforcing mode on Fedora Devel and it doesn't work :
- apache needs rw access on /srv (don't know where the default dav root
should be, I put it in srv since its seems the FHS wants this kind of stuff there)
type=AVC msg=audit(1130749513.951:3772): avc: denied { read } for pid=11759 comm="httpd" name="nim" dev=dm-0 ino=1048598 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0 tclass=dir type=SYSCALL msg=audit(1130749513.951:3772): arch=c000003e syscall=2 success=no exit=-13 a0=5555558ca410 a1=10800 a2=5555558c7ff8 a3=5555558c58a7 items=1 pid=11759 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
You need to change the context of those directories so that httpd can read/write them
chcon -R -t httpd_sys_script_rw_t /var/lib/dav
http://fedora.redhat.com/docs/selinux-apache-fc3/
Has a good description of how to use httpd and selinux.
- it also needs rw acces to its default /var/lib/dav/lockdb.dir
type=AVC msg=audit(1130749738.930:3777): avc: denied { write } for pid=11766 comm="httpd" name="lockdb.dir" dev=dm-0 ino=2392524 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1130749738.930:3777): arch=c000003e syscall=2 success=no exit=-13 a0=5555558c7580 a1=42 a2=1b6 a3=3 items=1 pid=11766 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=CWD msg=audit(1130749738.930:3777): cwd="/" type=PATH msg=audit(1130749738.930:3777): item=0 name="/var/lib/dav/lockdb.dir" flags=310 inode=2392223 dev=fd:00 mode=040700 ouid=48 ogid=48 rdev=00:00
On another topic I still have spamassassin procmail problems :
type=CWD msg=audit(1130749836.551:3779): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749836.551:3779): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1130749839.979:3780): avc: denied { execute } for pid=11852 comm="procmail" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file type=SYSCALL msg=audit(1130749839.979:3780): arch=c000003e syscall=59 success=no exit=-13 a0=51c1d1 a1=51c170 a2=51bfc0 a3=51c1d1 items=1 pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail" type=CWD msg=audit(1130749839.979:3780): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749839.979:3780): item=0 name="/usr/bin/spamc" flags=101 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1130749839.983:3781): avc: denied { getattr } for pid=11852 comm="sh" name="spamc" dev=dm-0 ino=3349141 scontext=system_u:system_r:postfix_local_t:s0 tcontext=system_u:object_r:spamc_exec_t:s0 tclass=filetype=SYSCALL msg=audit(1130749839.983:3781): arch=c000003e syscall=4 success=no exit=-13 a0=6bf780 a1=7fffffefb5c0 a2=7fffffefb5c0 a3=2 items=1 pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="sh" exe="/bin/bash" type=AVC_PATH msg=audit(1130749839.983:3781): path="/usr/bin/spamc" type=CWD msg=audit(1130749839.983:3781): cwd="/home/nim/.maildir" type=PATH msg=audit(1130749839.983:3781): item=0 name="/usr/bin/spamc" flags=1 inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
Package versions :
selinux-policy-targeted-1.27.2-10 libselinux-1.27.17-1
Regards,
Le lundi 31 octobre 2005 à 11:05 -0500, Daniel J Walsh a écrit :
You need to change the context of those directories so that httpd can read/write them
chcon -R -t httpd_sys_script_rw_t /var/lib/dav
http://fedora.redhat.com/docs/selinux-apache-fc3/
Has a good description of how to use httpd and selinux.
Thanks for the info !
However since one of the directories is defined in the httpd.conf Red Hat ships, and the other is in the FHS, shouldn't they be part of the default policy ?
Regards,
Nicolas Mailhot wrote:
Le lundi 31 octobre 2005 à 11:05 -0500, Daniel J Walsh a écrit :
You need to change the context of those directories so that httpd can read/write them
chcon -R -t httpd_sys_script_rw_t /var/lib/dav
http://fedora.redhat.com/docs/selinux-apache-fc3/
Has a good description of how to use httpd and selinux.
Thanks for the info !
However since one of the directories is defined in the httpd.conf Red Hat ships, and the other is in the FHS, shouldn't they be part of the default policy ?
Regards,
Ok, if I change the context to be httpd_var_lib_t does that work?
chcon -R -t httpd_var_lib_t /var/lib/dav
Daniel J Walsh wrote:
Nicolas Mailhot wrote:
Le lundi 31 octobre 2005 à 11:05 -0500, Daniel J Walsh a écrit :
You need to change the context of those directories so that httpd can read/write them
chcon -R -t httpd_sys_script_rw_t /var/lib/dav
http://fedora.redhat.com/docs/selinux-apache-fc3/
Has a good description of how to use httpd and selinux.
Thanks for the info !
However since one of the directories is defined in the httpd.conf Red Hat ships, and the other is in the FHS, shouldn't they be part of the default policy ?
Regards,
Ok, if I change the context to be httpd_var_lib_t does that work?
chcon -R -t httpd_var_lib_t /var/lib/dav
Also what is the standard directory under /srv?
Dan
Le lundi 31 octobre 2005 à 11:05 -0500, Daniel J Walsh a écrit :
You need to change the context of those directories so that httpd can read/write them
chcon -R -t httpd_sys_script_rw_t /var/lib/dav
Test shows this work. Thank you
Joe Orton wrote in the bugzilla entry to add /var/lib/dav do the default policy and let admins manage the contents of /srv themselves.
Regards,
selinux@lists.fedoraproject.org