[DSE-Dev] Bug#680142: selinux-policy-default: user_t cannot manage httpd_user_content_t (cannot view/edit files in $HOME/public_html)

Florin Iucha florin at iucha.net
Tue Jul 3 22:24:05 UTC 2012 

Package: selinux-policy-default
Version: 2:0.2.20100524-7+squeeze1
Severity: important

Hello,

I have installed Debian Squeeze on my server, I have enabled SELinux in enforcing mode, then I have installed apache and
tried to serve some file from an user's home directory.

As root, I have enabled 'httpd_enable_homedirs', but after creating the 'public_html' directory, a 'ls -lZ public_html'
returns:

        d??????????  ? ?  ?  0 ?  ? public_html

Running same command as root, I get

        drwxr-xr-x.  2 florin florin staff_u:object_r:httpd_user_content_t:s0 4096 Jul 3 09:05 public_html

as expected.

I have searched the web for a solution, and I have found this note:

        http://www.martinorr.name/selinux/patches/654_httpd_user_content

indicating that a fix for this problem was added to 0.2.20100524-11, but Squeeze only has 2:0.2.20100524-7+squeeze1.

Is it possible to backport just fix to the version in Squeeze?

Alternatively, is there a simple local policy that I can add to allow me to export
the 'public_html', until the next version comes along?

Thanks for your work on Debian!

florin


-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules        1.1.1-6.1+squeeze1 Pluggable Authentication Modules f
ii  libselinux1           2.0.96-1           SELinux runtime shared libraries
ii  libsepol1             2.0.41-1           SELinux library for manipulating b
ii  policycoreutils       2.0.82-3           SELinux core policy utilities
ii  python                2.6.6-3+squeeze7   interactive high-level object-orie

Versions of packages selinux-policy-default recommends:
ii  checkpolicy              2.0.22-1        SELinux policy compiler
ii  setools                  3.3.6.ds-7.2+b1 tools for Security Enhanced Linux 

Versions of packages selinux-policy-default suggests:
pn  logcheck                      <none>     (no description available)
pn  syslog-summary                <none>     (no description available)

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permission denied: u'/etc/selinux/default/modules/active/file_contexts.local'
/etc/selinux/default/modules/semanage.read.LOCK [Errno 13] Permission denied: u'/etc/selinux/default/modules/semanage.read.LOCK'
/etc/selinux/default/modules/semanage.trans.LOCK [Errno 13] Permission denied: u'/etc/selinux/default/modules/semanage.trans.LOCK'

-- no debconf information

More information about the SELinux-devel mailing list