[Solved] SELinux Booleans and httpd_enable_homedirs

[Tronde]

Hello folks,

at first I'd like to mention that English is not my native language. Please bear with me if I make some little mistakes or struggle when trying to make my point. But now back to subject.

I've learned some basics about SELinux. I was told that the SELinux Boolean "httpd_enable_homedirs" would prevent access to Apache Userdirs even if the Apache is configured to run the Userdir-Module. So I setup an Apache with an enabled Userdir-Module, SELinux in Enforcing mode and the boolean httpd_enable_homedirs set to off. But whether the boolean is set on or off the access to the userdir is allowed. Could someone tell me what I did wrong or rather did not understand?

Here are my configuration:

Code: Select all

[root@centos ~]# cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core) 
[root@centos ~]# getenforce
Enforcing
[root@centos ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off
[root@centos ~]# grep -v '#' /etc/httpd/conf.d/userdir.conf
<IfModule mod_userdir.c>
    UserDir enabled

    UserDir public_html
</IfModule>

<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

[root@centos ~]# curl http://localhost/~tronde/index.html
<h1>Hello User</h1>
[root@centos ~]#

I thought the setting of the SELinux Boolean "httpd_enable_homedirs --> off" would prevent the access. But instead it is allowed. Could someone tell me what I did wrong or rather did not understand?

Best regards,
Tronde

[Tronde]

Well, I set up the same configuration as in my first post on a RHEL 7 system. The configuration there works as expected an the access is restricted.

Here is the RHEL 7 configuration:

Code: Select all

Red Hat Enterprise Linux Server release 7.3 (Maipo)
[root@rhel-72-dev ~]# getenforce
Enforcing
[root@rhel-72-dev ~]# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> off

[tronde@rhel-72-dev ~]$ sudo chmod 711 /home/tronde/
[sudo] password for tronde:
[tronde@rhel-72-dev ~]$ mkdir public_html
[tronde@rhel-72-dev ~]$ echo '<h1>Hallo Welt</h1>' > public_html/index.html
[tronde@rhel-72-dev ~]$ chmod 755 public_html
[tronde@rhel-72-dev ~]$ chmod 644 public_html/index.html
[tronde@rhel-72-dev ~]$ curl http://localhost/~tronde/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /~tronde/index.html
on this server.</p>
</body></html>
[tronde@rhel-72-dev ~]$

But I have not figured out how to enable the booleans in CentOS as well, yet. Maybe someone could give me some advice on how to do this.

Regards,
Tronde

[hunter86_bg]

What is the selinux boolean status on the CentOS 7 machine:

Code: Select all

semanage boolean -l | egrep 'httpd_read_user_content|httpd_enable_homedirs'

Also what is the selinux context of the home directory and subdirectories ?

[Tronde]

Here is the selinux boolean status on the CentOS 7 machine:

Code: Select all

[root@centos ~]# semanage boolean -l | egrep 'httpd_read_user_content|httpd_enable_homedirs'
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content

And here comes the context of the relevant directories on CentOS 7:

Code: Select all

drwx--x--x. tronde tronde unconfined_u:object_r:user_home_dir_t:s0 /home/tronde
drwxr-xr-x. tronde tronde unconfined_u:object_r:httpd_user_content_t:s0 /home/tronde/public_html/
-rw-rw-r--. tronde tronde unconfined_u:object_r:httpd_user_content_t:s0 index.html

On the RHEL 7 machine the output looks the same.

Here is the selinux boolean status on the RHEL 7 machine:

Code: Select all

[root@rhel-72-dev ~]# semanage boolean -l | egrep 'httpd_read_user_content|httpd_enable_homedirs'
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content

And the contextes on RHEL 7:

Code: Select all

drwx--x--x. tronde tronde unconfined_u:object_r:user_home_dir_t:s0 /home/tronde
drwxr-xr-x. tronde tronde unconfined_u:object_r:httpd_user_content_t:s0 /home/tronde/public_html/
-rw-rw-r--. tronde tronde unconfined_u:object_r:httpd_user_content_t:s0 index.html

[hunter86_bg]

Everything seems the same. What is the version of the selinux:

Code: Select all

rpm -qa | grep policy

[TrevorH]

What does sestatus say? Also getsebool httpd_enable_homedirs

[Tronde]

The versions of selinux are,

for CentOS:

Code: Select all

[root@centos ~]# rpm -qa | grep policy
selinux-policy-3.13.1-60.el7_2.9.noarch
selinux-policy-targeted-3.13.1-60.el7_2.9.noarch
policycoreutils-2.2.5-20.el7.x86_64
checkpolicy-2.1.12-6.el7.x86_64
policycoreutils-python-2.2.5-20.el7.x86_64
[root@centos ~]#

for RHEL:

Code: Select all

[root@rhel-72-dev ~]# rpm -qa | grep policy
selinux-policy-targeted-3.13.1-102.el7_3.4.noarch
selinux-policy-3.13.1-102.el7_3.4.noarch
policycoreutils-2.5-9.el7.x86_64
checkpolicy-2.5-4.el7.x86_64
policycoreutils-python-2.5-9.el7.x86_64
[root@rhel-72-dev ~]#

The output of sestatus for,

CentOS:

Code: Select all

[root@centos ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@centos ~]#

and RHEL:

Code: Select all

[root@rhel-72-dev ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
[root@rhel-72-dev ~]#

You could find the current setting of the boolean httpd_enable_homedirs for CentOS in my first post and for RHEL in the second one.

Well, the version of the packages in CentOS are older than in RHEL 7. But could that be the reason why the booleans are not working anyway in CentOS? What is the estimated time until the newer package versions will be available in CentOS, too?

As for now I guess I have to live with the current behaviour until there are newer packages available for CentOS and try it again. Or do you have any further ideas?

Regards,
Tronde

[TrevorH]

You could update to 7.3 using yum --enablerepo=cr update which should even the playing field a little.

[Tronde]

You could update to 7.3 using yum --enablerepo=cr update which should even the playing field a little.

I've done as you suggested. Now, I have the same package versions on my CentOS machine as on the RHEL machine. Now the selinux boolean httpd_enable_homedirs works as expected.

Thanks a lot for your help!