I have a web server serving my (not owned by root) files. What should the files be labeled?
httpd_sys_content_t works. httpd_user_content_t sounds more correct but it’s denied.
Is there a boolean for just allowing reading httpd_user_content_t?
Check httpd_selinux man page:
If you want to allow httpd to read user content, you must turn on the httpd_read_user_content boolean. Disabled by default.
setsebool -P httpd_read_user_content 1
1 Like
NAVras Y via Fedora Discussion notifications@fedoraproject.discoursemail.com writes:
Thanks, though it seems the boolean allows more than
httpd_user_content_t? (sesearch)
Maybe “httpd_user_content_t” is not the right type for you. You can get
an idea for what it’s supposed to be used from the default file context
mappings:
$ sudo semanage fcontext -l | grep httpd_user_content_t
/home/[^/]+/((www)|(web)|(public_html))(/.+)? all files unconfined_u:object_r:httpd_user_content_t:s0
/home/user/((www)|(web)|(public_html))(/.+)? all files staff_u:object_r:httpd_user_content_t:s0
It’s expected that the access to homedir needs to be enabled.
httpd should be able to read “httpd_user_content_t” which is assigned to
“httpdcontent” attribute by default:
$ sesearch -A -s httpd_t -t httpdcontent -c file -p read
allow httpd_t httpd_content_type:file { getattr ioctl lock map open read };
...
So your problem is probably related to other type assigned to a parental
directory.
You haven’t shared any AVC denial message so it’s hard to say what’s
going on. It’s also possible that it’s not related to SELinux, i.e. does
it work in permissive mode - setenforce 0?
1 Like
time->Tue Jul 25 11:31:02 2023
type=AVC msg=audit(1690284662.778:652): avc: denied { read } for pid=827 comm="caddy" name="Music" dev="sda1" ino=17242 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0
Does httpd_content_type include httpd_user_content_t?
Could be… The parent directories have mnt_t. But without changing them httpd_sys_content_t works?
If you want to see a comprehensive list of what target contexts (tcontext=...) processes labeled with a source context of httpd_t (scontext=...:httpd_t:...) are allowed to access by default so you can choose the best label, sesearch -s httpd_t --allow might be helpful.
Edit: Oh, I see that was already covered by the serverfault link you mentioned.
1 Like
No, httpd_contend_type attribute includeshttpd_sys_content_t type but not httpd_user_content_t. Both are httpdcontent. (EDIT: I think from the sesearch result, but more direct evidence is probably in the policy file.)
sesearch results
$ sesearch --allow -s httpd_t -t httpd_sys_content_t -c file -p read
allow httpd_t httpd_content_type:file { getattr ioctl lock map open read };
allow httpd_t httpdcontent:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True
allow httpd_t httpdcontent:file { execute getattr ioctl map open read }; [ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True
$ sesearch --allow -s httpd_t -t httpd_user_content_t -c file -p read
allow httpd_t httpd_user_content_type:file { getattr ioctl lock open read }; [ httpd_enable_homedirs ]:True
allow httpd_t httpdcontent:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write }; [ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True
allow httpd_t httpdcontent:file { execute getattr ioctl map open read }; [ ( httpd_builtin_scripting && httpd_unified && httpd_enable_cgi ) ]:True
Indeed, httpd_user_content_t seems to be for user home dirs, not general content[1]. Plus httpd_enable_homedirs needs to be true to allow this type.
$ sesearch --allow -s httpd_t -t httpd_user_content_t -c file -p read
allow httpd_t httpd_user_content_type:file { getattr ioctl lock open read }; [ httpd_enable_homedirs ]:True
The reason for this is because of tclass=dir. The web server is trying to get a list of files in the folder (autoindex/browse). read on folder is not allowed by default, only open (traverse), unless the folder is httpd_sys_content_t.
$ sesearch --allow -s httpd_t -c dir
allow httpd_t file_type:dir { getattr open search };
allow httpd_t httpd_sys_content_t:dir { ioctl lock read };
First check default context: (though because I soft-linked files from /mnt/usb they don’t automatically get this)
$ sudo semanage fcontext -l | grep /srv
/srv/([^/]*/)?www(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
Optionally check sesearch:
$ sesearch --allow -s httpd_t -c dir -p read
allow httpd_t httpd_content_type:dir { ioctl lock read }; [ httpd_builtin_scripting ]:True
allow httpd_t httpd_sys_content_t:dir { ioctl lock read };
allow httpd_t httpd_t:dir { getattr ioctl lock open read search watch };
$ sesearch --allow -s httpd_t -c file -p read
allow httpd_t httpd_content_type:file { getattr ioctl lock map open read };
allow httpd_t httpd_t:file { append getattr ioctl lock open read write };
I don’t see a lot of appropriate options from the long list, mostly just httpd_content_type vs. httpd_sys_content_t, and httpd_t for writable file (and more permissions in general). I’m not sure if an attribute (httpd_content_type) can be assigned to files though. Besides diff shows httpd_content_type has more stuff allowed than httpd_sys_content_t.
Thus I think the answer ishttpd_sys_content_t[2].
Still, I don’t know if listing the files in a directory is considered httpd_builtin_scripting. It’s on by default so the other one will also work.