SELinux & apache/httpd access to /home/*/www

[Stephen Smalley]

On Fri, 2004-09-17 at 12:40, Cream[DONut] wrote:
> Sep 17 18:23:15 DONut kernel: audit(1095438195.775:0): avc:  denied  { 
> read write } for  pid=2822 exe=/usr/sbin/httpd path=/dev/pts/0 
> dev=devpts ino=2 scontext=root:system_r:httpd_t 
> tcontext=root:object_r:devpts_t tclass=chr_file

This one is correct; we revoke access to the tty upon the transition to
the httpd_t domain so that a compromised daemon cannot subsequently gain
access to an admin tty.  IIRC, that did cause breakage in apache until
we made a change to the kernel to also re-open descriptors 0-2 to
/dev/null when it closes access to the tty so that stdin/stdout/stderr
are still defined as expected for it during initialization.  The kernel
change wasn't made until after test1, so that is likely why this breaks
for you.  You can allow it temporarily if you like for testing purposes,
or update to a newer kernel.

> Sep 17 18:24:10 DONut kernel: audit(1095438250.555:0): avc:  denied  { 
> search } for  pid=2826 exe=/usr/sbin/httpd name=xxxxxx dev=hda2 
> ino=886604 scontext=root:system_r:httpd_t 
> tcontext=system_u:object_r:user_home_dir_t tclass=dir
> Sep 17 18:24:10 DONut kernel: audit(1095438250.556:0): avc:  denied  { 
> getattr } for  pid=2826 exe=/usr/sbin/httpd path=/home/xxxxxx dev=hda2 
> ino=886604 scontext=root:system_r:httpd_t 
> tcontext=system_u:object_r:user_home_dir_t tclass=dir

This should have been allowed, and it is allowed in the current targeted
policy.  Looking at the CVS history, it was fixed for the targeted
policy after test1 as well, which explains your error.  So you can add
it or update your policy.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency