Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163493 - SELinux prohibit HTTPD to list cifs mounts
Summary: SELinux prohibit HTTPD to list cifs mounts
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 4
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: James Morris
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-18 11:57 UTC by Dimitar Pashev
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-05 14:56:50 UTC


Attachments (Terms of Use)

Description Dimitar Pashev 2005-07-18 11:57:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511

Description of problem:
HTTPD daemon unable to list cifs mounted directories.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. mkdir -p /var/www/html/remote
2. mount /windows-server/share /var/www/html/remote -t cifs -o fscontext=system_u:object_r:httpd_sys_content_t
3. httpd.conf
 <Directory /var/www/html/remote>
   Options +Indexes
   Allow from all
 </Directory>


Actual Results:  audit(1121686107.475:0): avc:  denied  { 0x100000 } for  name=docs dev=cifs ino=236013 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file


Additional info:

Comment 1 Daniel Walsh 2005-07-20 14:14:35 UTC
This looks like it might be a kernel/policy mismatch problem?

Comment 2 Daniel Walsh 2005-08-25 16:37:46 UTC
Any update on this?  Are you still seeing this problem?

Comment 3 Dimitar Pashev 2005-09-10 09:05:01 UTC
audit(1126342432.212:4533451): avc:  denied  { 0x100000 } for  name=writer
dev=cifs ino=3714545 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file
audit(1126342432.212:4533451): syscall=195 arch=40000003 success=no exit=-13
a0=8853130 a1=ae954e8c a2=4bbe6ff4 a3=ae954e8c items=1 pid=6892 loginuid=-1
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm=httpd
exe=/usr/sbin/httpd
audit(1126342432.212:4533451): item=0
name="/var/www/html/remote/docs/writer/index.htm" inode=3714545 dev=00:11
mode=040777 uid=0 gid=0 rdev=00:00

Comment 4 Stephen Smalley 2005-09-12 12:16:50 UTC
tclass=file is wrong here, as the object is a directory.  That is why the
permission value (0x100000 == DIR__SEARCH) is not being interpreted correctly.

Since the tcontext is correct, selinux_d_instantiate->inode_doinit must have
completed.   It would have set the class from the inode mode information at the
time of the d_instantiate/d_splice_alias (i.e. when it was first looked up or
created).  This suggests that cifs is calling d_instantiate without first
setting the inode mode.

Looking at the cifs code, it appears that cifs_filldir (called upon a readdir on
a cifs directory) constructs a dentry for each entry in the directory (thereby
calling d_instantiate) without first setting up the inode state.  It then fills
in the inode state prior to calling filldir.

I'd classify this as a bug in cifs, not SELinux.  It should set the inode mode
prior to calling d_instantiate so that the inode is not accessible with
uninitialized state.

Comment 5 Dave Jones 2006-01-16 22:05:53 UTC
This is a mass-update to all currently open Fedora Core 3 kernel bugs.

Fedora Core 3 support has transitioned to the Fedora Legacy project.
Due to the limited resources of this project, typically only
updates for new security issues are released.

As this bug isn't security related, it has been migrated to a
Fedora Core 4 bug.  Please upgrade to this newer release, and
test if this bug is still present there.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

Thank you.


Comment 6 Dave Jones 2006-02-03 07:00:44 UTC
This is a mass-update to all currently open kernel bugs.

A new kernel update has been released (Version: 2.6.15-1.1830_FC4)
based upon a new upstream kernel release.

Please retest against this new kernel, as a large number of patches
go into each upstream release, possibly including changes that
may address this problem.

This bug has been placed in NEEDINFO_REPORTER state.
Due to the large volume of inactive bugs in bugzilla, if this bug is
still in this state in two weeks time, it will be closed.

Should this bug still be relevant after this period, the reporter
can reopen the bug at any time. Any other users on the Cc: list
of this bug can request that the bug be reopened by adding a
comment to the bug.

If this bug is a problem preventing you from installing the
release this version is filed against, please see bug 169613.

Thank you.


Comment 7 John Thacker 2006-05-05 14:56:50 UTC
Closing per previous comment.

Comment 8 Steve French 2006-09-06 21:59:57 UTC
Patch available for mainline and tests out ok - sending off to Linus for 2.6.18
(in case it is not too late)


Note You need to log in before you can comment on or make changes to this bug.