Hi guys,

This has bin bugging me for a while and i can't seem to find the answer anywhere..
Well that's not entirely true perhaps there is an answer but i can't get to it because i would need a subscription to read the Solution from RedHat.

Here is the url i'm talking about;
https://t.co/k1AXXElGvi

My problem; SELinux Enforcing not honouring httpd_enable_homedirs
I'm running Centos 7.1 on a fresh install ..
And did not modify any Booleans and SELinux is active and enforcing..
Here sum screen output..

# Here you can see/confirm that the boolean is off..
semanage boolean -l|grep home|grep http
httpd_enable_homedirs (off , off) Allow httpd to enable homedirs

# output from this command is empty i haven't touched any boolean..
semanage boolean -lC


Others have the same problem ..but no answer..
http://stackoverflow.com/questions/21566234/selinux-enforcing-not-honouring-httpd-enable-homedirs-off

At the moment it's not a real problem just one that's bugging me ..Like a "ich i couldn't scratch"

Not sure but i think i have an idea about the confusion.

There are two booleans that govern web access to home.

httpd_enable_homedirs and httpd_read_user_content (or something along those lines)

the former just allows web to "traverse" "$HOME", the latter allows web to "traverse" "$HOME" PLUS allows the web to read user home content.

So if httpd_enable_homedirs is set to off but httpd_read_user_content is set to on then it can still access home.

thx for your response deverride

i'm afraid that the boolean "httpd_read_user_content" doesn't appear to be the culprit..

So i just tested it on a fresh install..Centos 7 vm.

Status of both booleans in question is.

httpd_read_user_content (off , off) Allow httpd to read user content
httpd_enable_homedirs (off , off) Allow httpd to enable homers

in fact asking the system if any boolean has bin changed returns nothing so all is pristine in the land of SeLinux
i do a yum install of "Apache HTTP Server" edit /etc/httpd/conf.d/userdir.conf and enable home dir inside http setting.
Restart http en use lynx to open user dir like so.

lynx http://localhost/~username/index.html

Here i expect to get an error and have to go digging in the system log to find a nice SELinux error waiting for me
btw the system is in Enforcing mode just if you where wondering

so what now ???
I do believe RedHat has the answer but i don't have a subscription so can't tell if that's so??
Here is the Link for anyone that does have a sub and want's to share

https://t.co/k1AXXElGvi

So you are saying that apache is able to access the /home/username/public_html when both booleans are off?

Here is the redhat selinux users and administators guide:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/

have a look at the Webserver section in particular.

There are also the booleans described:

httpd_enable_homedirs
When disabled, this Boolean prevents httpd from accessing user home directories. Enable this Boolean to allow httpd access to user home directories; for example, content in /home/*/.

AFAIK apache should not be able to traverse /home/username when both booleans are set to off.

I do not have a subscription either so i can't read the solution in the url either.

what does "sesearch -ASCT -s httpd_t -t home_dir_t" return? (sesearch is part of the setools-console package)

Hi doverride,

Sorry for my late respons had sum personal issues to deal with..
Ahh wel such is live.. So i'm back at it..messing around with Centos and SeLinux..

Last time you asked what the results of "research -ASCT -s httpd_t -t home_dir_t"

ERROR: could not find datum for type home_dir_t

ERROR: could not find datum for type home_dir_t

ERROR: could not find datum for type home_dir_t

So reading the manpage i couldn't find any reason for the error so i tried this and got sum results.
(btw datum is dutch for date, can't see a reason why it come with that error but then again i can't say i fully understand the query that well hahah.)

So here is the output and command. (thanks for your input on the matter)


sesearch -ASCT -s httpd_t|grep -i home

allow httpd_t home_root_t : dir { getattr search open } ;
allow httpd_t home_root_t : lnk_file { read getattr } ;
allow domain admin_home_t : dir { getattr search open } ;
allow domain admin_home_t : lnk_file { read getattr } ;
allow daemon user_home_t : file { getattr append } ;
DT allow httpd_t home_root_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs ]
DT allow httpd_t home_root_t : dir { getattr search open } ; [ httpd_read_user_content ]
DT allow httpd_t home_root_t : lnk_file { read getattr } ; [ httpd_enable_homedirs ]
DT allow httpd_t home_root_t : lnk_file { read getattr } ; [ httpd_read_user_content ]
DT allow httpd_t user_home_type : file { ioctl read getattr lock open } ; [ httpd_read_user_content ]
DT allow httpd_t user_home_type : dir { getattr search open } ; [ httpd_enable_homedirs ]
DT allow httpd_t user_home_type : dir { ioctl read getattr lock search open } ; [ httpd_read_user_content ]
DT allow httpd_t user_home_type : lnk_file { read getattr } ; [ httpd_enable_homedirs ]
DT allow httpd_t user_home_dir_t : dir { getattr search open } ; [ httpd_enable_homedirs ]
DT allow httpd_t user_home_dir_t : dir { ioctl read getattr lock search open } ; [ httpd_read_user_content ]
DT allow httpd_t user_home_dir_t : lnk_file { read getattr } ; [ httpd_enable_homedirs ]
DT allow httpd_t user_home_dir_t : lnk_file { read getattr } ; [ httpd_read_user_content ]
DT allow httpd_t autofs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t cifs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_samba_home_dirs && ]
DT allow httpd_t cifs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_samba_home_dirs && ]
DT allow httpd_t cifs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_samba_home_dirs && ]
DT allow httpd_t nfs_t : file { ioctl read getattr lock open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t nfs_t : dir { ioctl read getattr lock search open } ; [ httpd_enable_homedirs use_nfs_home_dirs && ]
DT allow httpd_t nfs_t : lnk_file { read getattr } ; [ httpd_enable_homedirs use_nfs_home_dirs &&