2

Whenever I upload a file via my web browser to my web server, I see the following lines in /var/log/messages.

Nov  8 12:18:24 sn setroubleshoot: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx. For complete SELinux messages run: sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d
Nov  8 12:18:24 sn python: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012

While the format is ugly, I run sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d and see

SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:

ausearch -c 'httpd' --raw | audit2allow -M my-httpd

semodule -i my-httpd.pp

Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:user_home_t:s0 Target Objects temp_5be3f85348052_5be3f85347985.docx [ file ] Source httpd Source Path httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name sn.somewhere.com Platform Linux sn.somewhere.com 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-11-08 12:16:06 +0330 Last Seen 2018-11-08 12:18:19 +0330 Local ID 335e7781-6a68-4ca6-827f-073f93829f2d

Raw Audit Messages type=AVC msg=audit(1541666899.294:27636): avc: denied { create } for pid=25734 comm="httpd" name="temp_5be3f85348052_5be3f85347985.docx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0 ppid=13555 pid=25734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,user_home_t,file,create

I do run two commands and everything sounds normal:

# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-httpd.pp

semodule -i my-httpd.pp

...however once again and after uploading the file, I see those messages in the log again and again.

How to fix this?

The list of boolean values related to httpd are:

# semanage boolean -l | grep httpd
httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_connect_mythtv       (off  ,  off)  Allow httpd to can connect mythtv
httpd_can_network_connect_db   (off  ,  off)  Allow httpd to can network connect db
httpd_use_gpg                  (off  ,  off)  Allow httpd to use gpg
httpd_dbus_sssd                (off  ,  off)  Allow httpd to dbus sssd
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
httpd_verify_dns               (off  ,  off)  Allow httpd to verify dns
httpd_dontaudit_search_dirs    (off  ,  off)  Allow httpd to dontaudit search dirs
httpd_use_cifs                 (off  ,  off)  Allow httpd to use cifs
httpd_manage_ipa               (off  ,  off)  Allow httpd to manage ipa
httpd_run_stickshift           (off  ,  off)  Allow httpd to run stickshift
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_dbus_avahi               (off  ,  off)  Allow httpd to dbus avahi
httpd_unified                  (on   ,   on)  Allow httpd to unified
httpd_mod_auth_pam             (off  ,  off)  Allow httpd to mod auth pam
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect
httpd_execmem                  (off  ,  off)  Allow httpd to execmem
httpd_use_fusefs               (off  ,  off)  Allow httpd to use fusefs
httpd_mod_auth_ntlm_winbind    (off  ,  off)  Allow httpd to mod auth ntlm winbind
httpd_use_sasl                 (off  ,  off)  Allow httpd to use sasl
httpd_tty_comm                 (off  ,  off)  Allow httpd to tty comm
httpd_sys_script_anon_write    (off  ,  off)  Allow httpd to sys script anon write
httpd_graceful_shutdown        (on   ,   on)  Allow httpd to graceful shutdown
httpd_can_connect_ftp          (on   ,   on)  Allow httpd to can connect ftp
httpd_run_ipa                  (off  ,  off)  Allow httpd to run ipa
httpd_read_user_content        (on   ,   on)  Allow httpd to read user content
httpd_use_nfs                  (off  ,  off)  Allow httpd to use nfs
httpd_can_connect_zabbix       (off  ,  off)  Allow httpd to can connect zabbix
httpd_tmp_exec                 (off  ,  off)  Allow httpd to tmp exec
httpd_run_preupgrade           (off  ,  off)  Allow httpd to run preupgrade
httpd_can_sendmail             (on   ,   on)  Allow httpd to can sendmail
httpd_builtin_scripting        (on   ,   on)  Allow httpd to builtin scripting
httpd_can_connect_ldap         (off  ,  off)  Allow httpd to can connect ldap
httpd_can_check_spam           (off  ,  off)  Allow httpd to can check spam
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
httpd_anon_write               (off  ,  off)  Allow httpd to anon write
httpd_serve_cobbler_files      (off  ,  off)  Allow httpd to serve cobbler files
httpd_ssi_exec                 (off  ,  off)  Allow httpd to ssi exec
httpd_use_openstack            (off  ,  off)  Allow httpd to use openstack
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to enable ftp server
httpd_setrlimit                (off  ,  off)  Allow httpd to setrlimit

The content of my-httpd.te is:

# cat /home/snadmin/my-httpd.te

module my-httpd 1.0;

require { type httpd_t; type user_home_t; class dir { add_name create write }; class file { create write }; }

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy allow httpd_t user_home_t:dir { add_name create write }; allow httpd_t user_home_t:file create;

#!!!! This avc is allowed in the current policy allow httpd_t user_home_t:file write;

karel
  • 2,030
mahmood
  • 1,211
  • 1
    Did your audit2allow run produce a text file for the module? I believe my-httpd.te? If so, could you post it here? You mention there are further logs of blocked accesses after loading the module, can you share some of those too, so we can compare whether they're the same or not? – filbranden Nov 08 '18 at 09:26
  • @FilipeBrandenburger: How can I check that? – mahmood Nov 08 '18 at 09:35

2 Answers2

2

Your issue is that http daemon tries to create a file in directory labeled with user content context (user_home_t). Are you certain the file context is correct? If you moved the directory from user's home directory to a httpd directory, you need to manually apply the correct context to the moved file using restorecon.

If you want to allow httpd to write to a file in user home directory, you should use a sub directory and label it with appropriate label such as httpd_user_rw_content_t (which requires httpd_builtin_scripting), or public_content_rw_t (which requires allow_httpd_anon_write boolean).

As to why audit2allow generated policy is not effective, you need to check what rules were generated by it.

sebasth
  • 14,872
  • 1
    So the output of semanage boolean -l | grep httpd_read_user_content is httpd_read_user_content (on , on) Allow httpd to read user content – mahmood Nov 08 '18 at 09:08
  • The AVC audit log says denied { create }, so it seems this is trying to create a file in a home directory (or a directory labelled as such), not just read it... – filbranden Nov 08 '18 at 09:24
  • @FilipeBrandenburger indeed, I somehow misread the post when I first posted the answer. Updated the answer accordingly. – sebasth Nov 08 '18 at 09:27
  • @sebasth: there is no httpd_user_rw_content_t! Please see the updated post – mahmood Nov 08 '18 at 09:34
  • @mahmood httpd_user_content_t is a file label, not a boolean. – sebasth Nov 08 '18 at 09:35
  • Excuse me. I am confused... I only see httpd_builtin_scripting boolean value. What should I do exactly? I want to know why that creation is prevented? SeLinux suggests some commands to fix that. But actually they have no effect. What is the rule of audit2allow here? – mahmood Nov 08 '18 at 09:39
  • @mahmood you should see the rules generated by audit2allow in ./my-httpd.te file. The problem is that the directory you are trying to create the file has incompatible label. What is the local path of the directory you are uploading to? – sebasth Nov 08 '18 at 09:48
  • I've tried to explain typical SELinux issues in an answer to Configure SELinux to allow daemons to use files in non-default locations. – sebasth Nov 08 '18 at 09:49
  • The server has one username snadmin. Actually the Oxwall software is installed. So, people register in our website and can upload files based on their usernames (not a host user). I have updated the post to include my-httpd.te content. – mahmood Nov 08 '18 at 09:56
0

Have you tried to enable httpd_enable_homedirs seboole ?

 setsebool -P httpd_enable_homedirs on
Alexander
  • 1,416
  • I do not think it will enable the access (I do not have a RHEL7 system available at the moment, but sesearch --allow -s httpd_t -t user_home_t -p create on my system returns no rules). – sebasth Nov 08 '18 at 09:33
  • @sebasth: There is no sesearch on my system!! – mahmood Nov 08 '18 at 09:34
  • This Boolean to be part of the solution. Did it disappear? Then create a subdirectory in the user's home, and enable it in an httpd config file. – KevinO Nov 08 '18 at 16:47