eCryptfs

Invalid SELinux denials on eCryptfs directories

Bug #341355 reported by Tyler Hicks
4
Affects Status Importance Assigned to Milestone
eCryptfs
Fix Released
Medium
Tyler Hicks
Fedora
Fix Released
Medium

Bug Description

I want to serve web pages from the clear-text directory of an ecryptfs mount. I am running under SELinux. I am getting AVC denials in audit.log. This is what I am doing:

1. Create two directories under /var/www: clear_sites and crypt_sites

2. Mount it via:
  mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough /var/www/crypt_sites /var/www/clear_sites

3. Transfer a working web directory to /var/www/clear_sites

4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their respective subdirectories) are set via:

     chown root:apache
     chmod 750 or 640 or what is needed
     context is user_u:object_r:httpd_sys_content_t

5. Verify that stuff written to clear_sites is showing up in crypt_sites

6. Configure Apache:

     Alias /jv "/var/www/clear_sites/jv/"
     <Directory "/var/www/clear_sites/jv">
        Options -Indexes
        Order Allow,Deny
        Allow from 192.168.0.0/24
        Allow from localhost
        Allow from 127.0.0.1
     </Directory>

6. Point browser to http://something.somewhere.com/jv

    I get a Forbidden: You don't have permission to access /jv/ on this server.

7. audit.log says:

type=AVC msg=audit(1236792030.134:49348): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49348): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa690 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49349): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49349): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa770 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49350): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49350): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa6a0 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49351): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49351): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa780 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49352): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49352): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa6b8 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49353): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49353): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa7a0 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)

I am running RedHat Enterprise Linux 5.2 64bit. audit2why | audit2allow is telling me to:

     #============= httpd_t ==============
     allow httpd_t httpd_sys_content_t:file 0x100000;

but I would rather not have to modify the policy if I did not have to.

What am I doing wrong?

Thanks

Revision history for this message
In , Bob (bob-redhat-bugs) wrote :
Download full text (5.3 KiB)

Description of problem:

I am getting 0x100000 permission denials for a directory. Apache is trying to read a directory that is on an eCryptfs mount.

Version-Release number of selected component (if applicable):

Patched and up to date.

How reproducible:

Always

Steps to Reproduce:

I want to serve web pages from the clear-text directory of an eCryptfs mount. I am running under SELinux. I am getting AVC denials. This is what I am doing:

1. Create two directories:

   mkdir /var/www/clear_sites /var/www/crypt_sites

2. Mount it via:

  mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=/var/backup/.ecryptfs/.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough /var/www/crypt_sites /var/www/clear_sites

3. Transfer a working web directory to /var/www/clear_sites

4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their respective subdirectories) are set via:

     chown root:apache
     chmod 750 or 640 or what is needed
     context is user_u:object_r:httpd_sys_content_t

5. Verify that stuff written to clear_sites is showing up in crypt_sites

6. Configure Apache:

     Alias /jv "/var/www/clear_sites/jv/"
     <Directory "/var/www/clear_sites/jv">
        Options -Indexes
        Order Allow,Deny
        Allow from 192.168.0.0/24
        Allow from localhost
        Allow from 127.0.0.1
     </Directory>

7. Restart apache:

    /sbin/service httpd restart

8. Point browser to http://something.somewhere.com/jv

    I get a Forbidden: You don't have permission to access /jv/ on this server.

Actual results:

audit.log says:

type=AVC msg=audit(1236795231.038:49752): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.038:49752): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0630 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.038:49753): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.038:49753): arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0710 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49754): avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49754): arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0638 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=4...

Read more...

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Bug was initially reported in the form of a question by Bob (https://launchpad.net/~bob-jellyvision)
Here is a little more info:

---

Interesting question! I don't think you're doing anything wrong, I think this may be an eCryptfs bug. Just to cover all bases, you're not running a custom kernel with RHEL policy or anything else that may result in a kernel <-> policy mismatch, right?

Do you have any trouble serving up pages from a non-eCryptfs mount point?

If not, Steven Smalley's description of a similar bug in CIFS might be the problem you're seeing with eCryptfs: https://bugzilla.redhat.com/show_bug.cgi?id=163493#c4

---

Hi Tyler,

Thanks for the reply. To answer your questions:

   - I am using the standard RHEL distribution kernel (2.6.18-128)
   - I do not think I have any custom policies on this box
   - I have no problems serving up other pages in normal directories. I have not, however
     tried serving pages from any other mounts, like a loop file system, nfs or what ever

I saw that CIFS bug, also, and it made me wonder if it was something similar, because "jv" is a directory and the 0x100000 is permission denial is suspect. I was about to put this one on the SELinux mailing list, but I think I will put it on the RedHat bugzilla and see what happens there.

Regards,

Bob
---

Changed in ecryptfs:
assignee: nobody → tyhicks
importance: Undecided → Medium
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I am working to see if this is a problem upstream or if it only applies to the RHEL kernel.

Revision history for this message
me (bob-jellyvision) wrote :

FYI: The RedHat bugzilla entry I made is at: https://bugzilla.redhat.com/show_bug.cgi?id=489774

Tyler Hicks (tyhicks)
Changed in ecryptfs:
status: New → In Progress
Revision history for this message
Tyler Hicks (tyhicks) wrote :

This patch applies to the RHEL 5.3 kernel (2.6.18-128.1.1.el5) and 2.6.29-rc7. The described bug is fixed in RHEL and I have successfully compiled a kernel inside of an eCryptfs mount in 2.6.18-128.1.1.el5 and 2.6.29-rc7 with the patch applied.

Revision history for this message
In , Tyler (tyler-redhat-bugs) wrote :

I have a tested patch attached to https://bugs.launchpad.net/ecryptfs/+bug/341355 that fixes this problem.

I will send the patch upstream soon.

Revision history for this message
In , Bob (bob-redhat-bugs) wrote :

Created attachment 335388
Fix

Revision history for this message
In , Bob (bob-redhat-bugs) wrote :

Attached Tyler Hicks' patch to have local copy inside RedHat bugzilla

Revision history for this message
In , Eric (eric-redhat-bugs) wrote :

Thanks; moving this to the kernel component and myself ....

Revision history for this message
In , Tyler (tyler-redhat-bugs) wrote :

I wanted to mention that it was a little late in the cycle for me to want to push this into 2.6.29. It is in my queue for 2.6.30.

Revision history for this message
In , IBM (ibm-redhat-bugs) wrote :
Download full text (4.1 KiB)

------- Comment From <email address hidden> 2009-03-18 19:00 EDT-------
---Problem Description---

I am getting 0x100000 permission denials for a directory. Apache is trying to
read a directory that is on an eCryptfs mount.

---Steps to Reproduce---

I want to serve web pages from the clear-text directory of an eCryptfs mount. I
am running under SELinux. I am getting AVC denials. This is what I am doing:

mount -t ecryptfs -o
key=passphrase:passphrase_passwd_file=/var/backup/.ecryptfs/.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough
/var/www/crypt_sites /var/www/clear_sites

4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their
respective subdirectories) are set via:

type=AVC msg=audit(1236795231.038:49752): avc: denied { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.038:49752): arch=c000003e syscall=4
success=no exit=-13 a0=2ac5b2ab0630 a1=7fff0a015600 a2=7fff0a015600
a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd"
exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.038:49753): avc: denied { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.038:49753): arch=c000003e syscall=6
success=no exit=-13 a0=2ac5b2ab0710 a1=7fff0a015600 a2=7fff0a015600 a3=0
items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49754): avc: denied { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49754): arch=c000003e syscall=4
success=no exit=-13 a0=2ac5b2ab0638 a1=7fff0a015600 a2=7fff0a015600
a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd"
exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49755): avc: denied { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236795231.042:49755): arch=c000003e syscall=6
success=no exit=-13 a0=2ac5b2ab0718 a1=7fff0a015600 a2=7fff0a015600 a3=0
items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48
egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236795231.042:49756): avc: denied { 0x100000 } for
pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196
scontext=user_u...

Read more...

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Merged upstream: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ff91fad2db543325d7221c26ff42d7df3c574064

Changed in ecryptfs:
status: In Progress → Fix Committed
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Released in 2.6.30-rc4: http://thread.gmane.org/gmane.linux.kernel/829860

Changed in ecryptfs:
status: Fix Committed → Fix Released
Revision history for this message
In , IBM (ibm-redhat-bugs) wrote :

------- Comment From <email address hidden> 2009-06-18 06:35 EDT-------
Red Hat
When can we expect the patch to be included, I don't see this patch even in RHEL 5.4 Alpha.
Please let us know how best we can take this issue further
Thanks
Sharyathi N

Revision history for this message
In , IBM (ibm-redhat-bugs) wrote :

------- Comment From <email address hidden> 2009-07-07 05:15 EDT-------
Red Hat
Any update
Thanks

Revision history for this message
In , Eric (eric-redhat-bugs) wrote :

Sincere apologies for being late on this one, it slipped through the cracks.

I see that it's now upstream:

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=ae6e84596e7b321d9a08e81679c6a3f799634636

I'm going to need to propose this for 5.5, I think, unless this is causing very big problems and we need to really push for it in 5.4....

Revision history for this message
In , RHEL (rhel-redhat-bugs) wrote :

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
release.

Bug Watch Updater (bug-watch-updater)
Changed in fedora:
status: Confirmed → Unknown
Revision history for this message
In , Don (don-redhat-bugs) wrote :

in kernel-2.6.18-175.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so. However feel free
to provide a comment indicating that this fix has been verified.

Bug Watch Updater (bug-watch-updater)
Changed in fedora:
status: Unknown → Fix Committed
Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0178.html

Bug Watch Updater (bug-watch-updater)
Changed in fedora:
importance: Unknown → Medium
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.