Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 172087 - (selinux) Webdav problems in enforcing mode in Raw Hide
Summary: (selinux) Webdav problems in enforcing mode in Raw Hide
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
Blocks: FC5Target
TreeView+ depends on / blocked
Reported: 2005-10-31 09:22 UTC by Nicolas Mailhot
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-11-05 09:25:44 UTC

Attachments (Terms of Use)

Description Nicolas Mailhot 2005-10-31 09:22:13 UTC
Description of problem:

I've just test tested webdav in enforcing mode on Fedora Devel and it
doesn't work :

- apache needs rw access on /srv (don't know where the default dav root
should be, I put it in srv since its seems the FHS wants this kind of
stuff there)

type=AVC msg=audit(1130749513.951:3772): avc:  denied  { read } for
pid=11759 comm="httpd" name="nim" dev=dm-0 ino=1048598
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0
type=SYSCALL msg=audit(1130749513.951:3772): arch=c000003e syscall=2
success=no exit=-13 a0=5555558ca410 a1=10800 a2=5555558c7ff8
a3=5555558c58a7 items=1 pid=11759 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"

- it also needs rw acces to its default /var/lib/dav/lockdb.dir

type=AVC msg=audit(1130749738.930:3777): avc:  denied  { write } for
pid=11766 comm="httpd" name="lockdb.dir" dev=dm-0 ino=2392524
tcontext=system_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1130749738.930:3777): arch=c000003e syscall=2
success=no exit=-13 a0=5555558c7580 a1=42 a2=1b6 a3=3 items=1 pid=11766
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1130749738.930:3777):  cwd="/"
type=PATH msg=audit(1130749738.930:3777): item=0
name="/var/lib/dav/lockdb.dir" flags=310  inode=2392223 dev=fd:00
mode=040700 ouid=48 ogid=48 rdev=00:00

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Create a webdav root in /srv
2.Try to use it in enforcing mode server-side
Actual results:

1. Webdav clients fail when trying to manipulate the share 
2. Various errors in apache logs :

[Mon Oct 31 10:05:13 2005] [error] [client x.x.x.x] Provider encountered an
error while streaming a multistatus PROPFIND response.  [404, #0]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] File does not exist:
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] File does not exist:
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] The locks could not be
queried for verification against a possible "If:" header.  [500, #0]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] Could not open the lock
database.  [500, #400]
[Mon Oct 31 10:08:58 2005] [error] [client x.x.x.x] (13)Permission denied: Could
not open property database.  [500, #1]

Expected results:

A working dav share
No errors in httpd logs

Additional info:

I've reported this on the selinux list, I just want to trace it there so it's
fixed before FC5

Comment 1 Nicolas Mailhot 2005-10-31 09:26:23 UTC
Dav/Apache problem -> CCing Joe Orton

Comment 2 Joe Orton 2005-10-31 10:30:25 UTC
Looks like a policy issue, httpd_t should have read/write/file-creation access to

Comment 3 Nicolas Mailhot 2005-10-31 10:37:52 UTC
Yes, that's why I opened an selinux bug, but I thought it would be nice to have
you there to confirm apache needs read/write/file-creation access to
/var/lib/dav/* AND /srv (and if srv is a no-go where people are supposed to put
their dav roots)

Comment 4 Nicolas Mailhot 2005-11-01 15:32:26 UTC
Joe, Daniel would like to know if Red Hat got a specific policy regarding DAV
files in /srv (ie should the default policy allow read/write/file-creation for
all /srv, just a subdir in /srv, or none at all).

My reading of :

is that if you use DAV as a way to share data (not a way to update web sites,
but a CIFS/FTP replacement) this data belongs in /srv.

If Red Hat does not define a specific part of /srv devoted to DAV use I'd say
make all srv accessible to apache in the default policy. OTOH it's certainly
cleaner to compartimentize /srv (on my box dav is in /srv/dav). What are your
thoughts on the question ?

Comment 5 Joe Orton 2005-11-01 15:44:53 UTC
I'd say it would be best to leave /srv labelling entirely to user policy.

Comment 6 Nicolas Mailhot 2005-11-01 16:05:35 UTC
:( This will force a lot of people to learn selinux instead of being mostly
transparent. Are you sure ?

Comment 7 Joe Orton 2005-11-01 16:14:08 UTC
To create a DAV repos you already have to create a directory and set up the
permissions correctly, it's never been an "it just works" thing.  The fact that
you have to label it too is just an extra step.

Comment 8 Nicolas Mailhot 2005-11-01 16:41:43 UTC
It just got a little less "just works" 

I'll just ask for the lock dir then

Comment 9 Daniel Walsh 2005-11-03 18:56:38 UTC
Fixed in policy version 1.27.2-12

Comment 10 Nicolas Mailhot 2005-11-05 09:25:44 UTC
I can confirm -> closing

Note You need to log in before you can comment on or make changes to this bug.