I want to serve web pages from the clear-text directory of an ecryptfs mount. I am running under SELinux. I am getting AVC denials in audit.log. This is what I am doing:
1. Create two directories under /var/www: clear_sites and crypt_sites
2. Mount it via:
mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough /var/www/crypt_sites /var/www/clear_sites
3. Transfer a working web directory to /var/www/clear_sites
4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their respective subdirectories) are set via:
chown root:apache
chmod 750 or 640 or what is needed
context is user_u:object_r:httpd_sys_content_t
5. Verify that stuff written to clear_sites is showing up in crypt_sites
6. Configure Apache:
Alias /jv "/var/www/clear_sites/jv/"
<Directory "/var/www/clear_sites/jv">
Options -Indexes
Order Allow,Deny
Allow from 192.168.0.0/24
Allow from localhost
Allow from 127.0.0.1
</Directory>
6. Point browser to http://something.somewhere.com/jv
I get a Forbidden: You don't have permission to access /jv/ on this server.
7. audit.log says:
type=AVC msg=audit(1236792030.134:49348): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49348): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa690 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49349): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49349): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa770 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49350): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49350): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa6a0 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49351): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49351): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa780 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49352): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49352): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa6b8 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49353): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49353): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa7a0 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
I am running RedHat Enterprise Linux 5.2 64bit. audit2why | audit2allow is telling me to:
#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:file 0x100000;
but I would rather not have to modify the policy if I did not have to.
What am I doing wrong?
Thanks
Description of problem:
I am getting 0x100000 permission denials for a directory. Apache is trying to read a directory that is on an eCryptfs mount.
Version-Release number of selected component (if applicable):
Patched and up to date.
How reproducible:
Always
Steps to Reproduce:
I want to serve web pages from the clear-text directory of an eCryptfs mount. I am running under SELinux. I am getting AVC denials. This is what I am doing:
1. Create two directories:
mkdir /var/www/ clear_sites /var/www/ crypt_sites
2. Mount it via:
mount -t ecryptfs -o key=passphrase: passphrase_ passwd_ file=/var/ backup/ .ecryptfs/ .www,ecryptfs_ cipher= aes,ecryptfs_ key_bytes= 16,no_sig_ cache,ecryptfs_ passthrough /var/www/ crypt_sites /var/www/ clear_sites
3. Transfer a working web directory to /var/www/ clear_sites
4. Make sure /var/www/ clear_sites (and /var/www/ crypt_sites, and all their respective subdirectories) are set via:
chown root:apache object_ r:httpd_ sys_content_ t
chmod 750 or 640 or what is needed
context is user_u:
5. Verify that stuff written to clear_sites is showing up in crypt_sites
6. Configure Apache:
Alias /jv "/var/www/ clear_sites/ jv/" clear_sites/ jv">
<Directory "/var/www/
Options -Indexes
Order Allow,Deny
Allow from 192.168.0.0/24
Allow from localhost
Allow from 127.0.0.1
</Directory>
7. Restart apache:
/sbin/service httpd restart
8. Point browser to http:// something. somewhere. com/jv
I get a Forbidden: You don't have permission to access /jv/ on this server.
Actual results:
audit.log says:
type=AVC msg=audit( 1236795231. 038:49752) : avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext= user_u: system_ r:httpd_ t:s0 tcontext= user_u: object_ r:httpd_ sys_content_ t:s0 tclass=file 1236795231. 038:49752) : arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0630 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/ sbin/httpd" subj=user_ u:system_ r:httpd_ t:s0 key=(null) 1236795231. 038:49753) : avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext= user_u: system_ r:httpd_ t:s0 tcontext= user_u: object_ r:httpd_ sys_content_ t:s0 tclass=file 1236795231. 038:49753) : arch=c000003e syscall=6 success=no exit=-13 a0=2ac5b2ab0710 a1=7fff0a015600 a2=7fff0a015600 a3=0 items=0 ppid=31655 pid=31658 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7620 comm="httpd" exe="/usr/ sbin/httpd" subj=user_ u:system_ r:httpd_ t:s0 key=(null) 1236795231. 042:49754) : avc: denied { 0x100000 } for pid=31658 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext= user_u: system_ r:httpd_ t:s0 tcontext= user_u: object_ r:httpd_ sys_content_ t:s0 tclass=file 1236795231. 042:49754) : arch=c000003e syscall=4 success=no exit=-13 a0=2ac5b2ab0638 a1=7fff0a015600 a2=7fff0a015600 a3=2ac5b2aab0d8 items=0 ppid=31655 pid=31658 auid=501 uid=4...
type=SYSCALL msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(
type=AVC msg=audit(
type=SYSCALL msg=audit(