eCryptfs

SELinux, Apache, and eCryptFS

Asked by me on 2009-03-11

I want to serve web pages from the clear-text directory of an ecryptfs mount. I am running under SELinux. I am getting AVC denials in audit.log. This is what I am doing:

1. Create two directories under /var/www: clear_sites and crypt_sites

2. Mount it via:
mount -t ecryptfs -o key=passphrase:passphrase_passwd_file=.www,ecryptfs_cipher=aes,ecryptfs_key_bytes=16,no_sig_cache,ecryptfs_passthrough /var/www/crypt_sites /var/www/clear_sites

3. Transfer a working web directory to /var/www/clear_sites

4. Make sure /var/www/clear_sites (and /var/www/crypt_sites, and all their respective subdirectories) are set via:

     chown root:apache
     chmod 750 or 640 or what is needed
     context is user_u:object_r:httpd_sys_content_t

5. Verify that stuff written to clear_sites is showing up in crypt_sites

6. Configure Apache:

     Alias /jv "/var/www/clear_sites/jv/"
     <Directory "/var/www/clear_sites/jv">
        Options -Indexes
        Order Allow,Deny
        Allow from 192.168.0.0/24
        Allow from localhost
        Allow from 127.0.0.1
     </Directory>

6. Point browser to http://something.somewhere.com/jv

I get a Forbidden: You don't have permission to access /jv/ on this server.

7. audit.log says:

type=AVC msg=audit(1236792030.134:49348): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49348): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa690 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49349): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49349): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa770 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49350): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49350): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa6a0 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49351): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49351): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa780 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49352): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49352): arch=c000003e syscall=4 success=no exit=-13 a0=2b30a98fa6b8 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=2b30a98f5138 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1236792030.134:49353): avc: denied { 0x100000 } for pid=28389 comm="httpd" name="jv" dev=ecryptfs ino=3074196 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1236792030.134:49353): arch=c000003e syscall=6 success=no exit=-13 a0=2b30a98fa7a0 a1=7fff0f2d75a0 a2=7fff0f2d75a0 a3=0 items=0 ppid=28384 pid=28389 auid=501 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7533 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)

I am running RedHat Enterprise Linux 5.2 64bit. audit2why | audit2allow is telling me to:

#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:file 0x100000;

but I would rather not have to modify the policy if I did not have to.

What am I doing wrong?

Thanks

Question information

Language:: English Edit question

Status:: Answered

For:: eCryptfs Edit question

Assignee:: No assignee Edit question

Last query:: 2009-03-11

Last reply:: 2009-03-11

Revision history for this message

me (bob-jellyvision) said on 2009-03-11:

I forgot to mention: after configuring Apache, I did restart it.

Revision history for this message

Tyler Hicks (tyhicks) said on 2009-03-11:

Interesting question! I don't think you're doing anything wrong, I think this may be an eCryptfs bug. Just to cover all bases, you're not running a custom kernel with RHEL policy or anything else that may result in a kernel <-> policy mismatch, right?

Do you have any trouble serving up pages from a non-eCryptfs mount point?

If not, Steven Smalley's description of a similar bug in CIFS might be the problem you're seeing with eCryptfs: https://bugzilla.redhat.com/show_bug.cgi?id=163493#c4

Revision history for this message

me (bob-jellyvision) said on 2009-03-11:

Hi Tyler,

Thanks for the reply. To answer your questions:

   - I am using the standard RHEL distribution kernel (2.6.18-128)
   - I do not think I have any custom policies on this box
   - I have no problems serving up other pages in normal directories. I have not, however
     tried serving pages from any other mounts, like a loop file system, nfs or what ever

I saw that CIFS bug, also, and it made me wonder if it was something similar, because "jv" is a directory and the 0x100000 is permission denial is suspect. I was about to put this one on the SELinux mailing list, but I think I will put it on the RedHat bugzilla and see what happens there.

Regards,

Bob

Revision history for this message

Tyler Hicks (tyhicks) said on 2009-03-11:

Converted into a bug: https://bugs.launchpad.net/ecryptfs/+bug/341355

Can you help with this problem?

Provide an answer of your own, or ask me for more information if necessary.

To post a message you must log in.

Ask a question

Edit question

eCryptfs

SELinux, Apache, and eCryptFS

Question information

Related bugs

Related FAQ:

Can you help with this problem?

Subscribers