Re: Webdav problems in enforcing mode in Raw Hide

Nicolas Mailhot wrote:
> Hi,
>
> I've just test tested webdav in enforcing mode on Fedora Devel and it
> doesn't work :
>
>
> - apache needs rw access on /srv (don't know where the default dav root
> should be, I put it in srv since its seems the FHS wants this kind of
> stuff there)
>
> type=AVC msg=audit(1130749513.951:3772): avc:  denied  { read } for
> pid=11759 comm="httpd" name="nim" dev=dm-0 ino=1048598
> scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:var_t:s0
> tclass=dir
> type=SYSCALL msg=audit(1130749513.951:3772): arch=c000003e syscall=2
> success=no exit=-13 a0=5555558ca410 a1=10800 a2=5555558c7ff8
> a3=5555558c58a7 items=1 pid=11759 auid=4294967295 uid=48 gid=48 euid=48
> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"
> exe="/usr/sbin/httpd"
>
>   
You need to change the context of those directories so that httpd can 
read/write them
chcon -R -t httpd_sys_script_rw_t /var/lib/dav

http://fedora.redhat.com/docs/selinux-apache-fc3/

Has a good description of how to use httpd and selinux.
> - it also needs rw acces to its default /var/lib/dav/lockdb.dir
>
> type=AVC msg=audit(1130749738.930:3777): avc:  denied  { write } for
> pid=11766 comm="httpd" name="lockdb.dir" dev=dm-0 ino=2392524
> scontext=root:system_r:httpd_t:s0
> tcontext=system_u:object_r:var_lib_t:s0 tclass=file
> type=SYSCALL msg=audit(1130749738.930:3777): arch=c000003e syscall=2
> success=no exit=-13 a0=5555558c7580 a1=42 a2=1b6 a3=3 items=1 pid=11766
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
> type=CWD msg=audit(1130749738.930:3777):  cwd="/"
> type=PATH msg=audit(1130749738.930:3777): item=0
> name="/var/lib/dav/lockdb.dir" flags=310  inode=2392223 dev=fd:00
> mode=040700 ouid=48 ogid=48 rdev=00:00
>
>
> On another topic I still have spamassassin procmail problems :
>
> type=CWD msg=audit(1130749836.551:3779):  cwd="/home/nim/.maildir"
> type=PATH msg=audit(1130749836.551:3779): item=0 name="/usr/bin/spamc"
> flags=1  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1130749839.979:3780): avc:  denied  { execute } for
> pid=11852 comm="procmail" name="spamc" dev=dm-0 ino=3349141
> scontext=system_u:system_r:postfix_local_t:s0
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=file
> type=SYSCALL msg=audit(1130749839.979:3780): arch=c000003e syscall=59
> success=no exit=-13 a0=51c1d1 a1=51c170 a2=51bfc0 a3=51c1d1 items=1
> pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 comm="procmail" exe="/usr/bin/procmail"
> type=CWD msg=audit(1130749839.979:3780):  cwd="/home/nim/.maildir"
> type=PATH msg=audit(1130749839.979:3780): item=0 name="/usr/bin/spamc"
> flags=101  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1130749839.983:3781): avc:  denied  { getattr } for
> pid=11852 comm="sh" name="spamc" dev=dm-0 ino=3349141
> scontext=system_u:system_r:postfix_local_t:s0
> tcontext=system_u:object_r:spamc_exec_t:s0 tclass=filetype=SYSCALL
> msg=audit(1130749839.983:3781): arch=c000003e syscall=4 success=no
> exit=-13 a0=6bf780 a1=7fffffefb5c0 a2=7fffffefb5c0 a3=2 items=1
> pid=11852 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
> egid=500 sgid=500 fsgid=500 comm="sh" exe="/bin/bash"
> type=AVC_PATH msg=audit(1130749839.983:3781):  path="/usr/bin/spamc"
> type=CWD msg=audit(1130749839.983:3781):  cwd="/home/nim/.maildir"
> type=PATH msg=audit(1130749839.983:3781): item=0 name="/usr/bin/spamc"
> flags=1  inode=3349141 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
>
>
>
> Package versions :
>
> selinux-policy-targeted-1.27.2-10
> libselinux-1.27.17-1
>
> Regards,
>
>   
--