On Sat, 2006-07-29 at 19:42 -0300, Clodoaldo Pinto wrote: > 2006/7/29, Paul Howarth <paul@xxxxxxxxxxxx>: > > On Sat, 2006-07-29 at 14:56 -0300, Clodoaldo Pinto wrote: > > > FC5. After upgrading phpBB from 2.0.19 to 2.0.21 I get this message: > > > > > > kernel: audit(1154193819.965:244): avc: denied { getattr } for > > > pid=10862 comm="httpd" name="index.php" dev=sda1 ino=2553454 > > > scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:tmp_t:s0 > > > tclass=file > > > > > > Why didn't I have it with the old version? > > > > The old version was probably installed properly... > > > > > I know there are booleans related to httpd: > > > > > > # getsebool -a | grep httpd > > > allow_httpd_anon_write --> off > > > allow_httpd_mod_auth_pam --> off > > > allow_httpd_sys_script_anon_write --> off > > > httpd_builtin_scripting --> on > > > httpd_can_network_connect --> off > > > httpd_can_network_connect_db --> on > > > httpd_can_network_relay --> off > > > httpd_disable_trans --> off > > > httpd_enable_cgi --> on > > > httpd_enable_ftp_server --> off > > > httpd_enable_homedirs --> on > > > httpd_rotatelogs_disable_trans --> off > > > httpd_ssi_exec --> on > > > httpd_suexec_disable_trans --> off > > > httpd_tty_comm --> off > > > httpd_unified --> on > > > > > > Which one, if any, can solve this problem? > > > > None of them. The problem is that the file has the wrong context type, > > probably due to having bee unpacked in /tmp and copied into your web > > server area. You need to change the context type of the php files and > > the directory they are in to httpd_sys_content_t. > > The patch was unpacked in my home directory and copied to > /var/www/html/domain which is owned by me. > > The upgrade process is: > $ patch -cl -p1 < phpBB-2.0.19_to_2.0.21.patch > > This changes already existing files. And it also changes their > contexts to tmp_t as patch uses the /tmp directory for temporary > files: > > $ ls -aZ > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t . > drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t admin > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t cache > -rw-r--r-- cpn cpn user_u:object_r:tmp_t common.php > -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t config.php > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t db > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t docs > -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t extension.inc > -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t faq.php > -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t groupcp.php > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t images > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t includes > -rw-r--r-- cpn cpn user_u:object_r:tmp_t index.php > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t language > -rw-r--r-- cpn cpn user_u:object_r:tmp_t login.php > -rw-rw-r-- cpn cpn user_u:object_r:tmp_t memberlist.php > -rw-rw-r-- cpn cpn user_u:object_r:httpd_sys_content_t memberlist.php.orig > -rw-r--r-- cpn cpn user_u:object_r:tmp_t modcp.php > -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t > phpBB-2.0.19_to_2.0.21.patch > -rw-r--r-- cpn cpn user_u:object_r:tmp_t posting.php > -rw-r--r-- cpn cpn user_u:object_r:tmp_t privmsg.php > -rw-r--r-- cpn cpn user_u:object_r:tmp_t profile.php > -rw-r--r-- cpn cpn user_u:object_r:tmp_t search.php > drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t templates > -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t viewforum.php > -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t viewonline.php > -rw-r--r-- cpn cpn user_u:object_r:tmp_t viewtopic.php > > I changed the contexts back with chcon: > > $ chcon -R -t httpd_sys_content_t * > > Is it necessary to use chcon whenever a patch is applied or is there a > way to change patch's behavior or some selinux configuration? It'll be safest to check contexts after using patch and fix them if necessary. In this particular case you might avoid the problem by persuading patch to use a temporary directory that has the httpd_sys_content_t type, but that approach won't work in all cases. Paul. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list