SELinux, Apache, and eCryptFS

Asked by me on 2009-03-11

I want to serve web pages from the clear-text directory of an ecryptfs mount. I am running under SELinux. I am getting AVC denials in audit.log. This is what I am doing:

1. Create two directories under /var/www: clear_sites and crypt_sites

2. Mount it via:
  mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough /var/www/crypt_sites /var/www/clear_sites

3. Transfer a working web directory to /var/www/clear_sites

4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their respective subdirectories) are set via:

     chown root:apache
     chmod 750 or 640 or what is needed
     context is user_u:object_r:httpd_sys_content_t

5. Verify that stuff written to clear_sites is showing up in crypt_sites

6. Configure Apache:

     Alias /jv "/var/www/clear_sites/jv/"
     <Directory "/var/www/clear_sites/jv">
        Options -Indexes
        Order Allow,Deny
        Allow from 192.168.0.0/24
        Allow from localhost
        Allow from 127.0.0.1
     </Directory>

6. Point browser to http://something.somewhere.com/jv

    I get a Forbidden: You don't have permission to access /jv/ on this server.

7. audit.log says:

type=AVC msg=audit(1236792030.134:49348): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49348): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa690 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49349): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49349): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa770 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49350): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49350): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa6a0 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49351): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49351): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa780 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49352): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49352): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa6b8 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49353): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49353): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa7a0 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)

I am running RedHat Enterprise Linux 5.2 64bit. audit2why | audit2allow is telling me to:

     #============= httpd_t ==============
     allow httpd_t httpd_sys_content_t:file 0x100000;

but I would rather not have to modify the policy if I did not have to.

What am I doing wrong?

Thanks

Question information

Language:
English Edit question
Status:
Answered
For:
eCryptfs Edit question
Assignee:
No assignee Edit question
Last query:
2009-03-11
Last reply:
2009-03-11
me (bob-jellyvision) said : #1

I forgot to mention: after configuring Apache, I did restart it.

Tyler Hicks (tyhicks) said : #2

Interesting question! I don't think you're doing anything wrong, I think this may be an eCryptfs bug. Just to cover all bases, you're not running a custom kernel with RHEL policy or anything else that may result in a kernel <-> policy mismatch, right?

Do you have any trouble serving up pages from a non-eCryptfs mount point?

If not, Steven Smalley's description of a similar bug in CIFS might be the problem you're seeing with eCryptfs: https://bugzilla.redhat.com/show_bug.cgi?id=163493#c4

me (bob-jellyvision) said : #3

Hi Tyler,

Thanks for the reply. To answer your questions:

   - I am using the standard RHEL distribution kernel (2.6.18-128)
   - I do not think I have any custom policies on this box
   - I have no problems serving up other pages in normal directories. I have not, however
     tried serving pages from any other mounts, like a loop file system, nfs or what ever

I saw that CIFS bug, also, and it made me wonder if it was something similar, because "jv" is a directory and the 0x100000 is permission denial is suspect. I was about to put this one on the SELinux mailing list, but I think I will put it on the RedHat bugzilla and see what happens there.

Regards,

Bob

Can you help with this problem?

Provide an answer of your own, or ask me for more information if necessary.

To post a message you must log in.