Re: SELinux avc: denied after upgrading phpBB

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2006-07-29 at 19:42 -0300, Clodoaldo Pinto wrote:
> 2006/7/29, Paul Howarth <paul@xxxxxxxxxxxx>:
> > On Sat, 2006-07-29 at 14:56 -0300, Clodoaldo Pinto wrote:
> > > FC5. After upgrading phpBB from 2.0.19 to 2.0.21 I get this message:
> > >
> > > kernel: audit(1154193819.965:244): avc:  denied  { getattr } for
> > > pid=10862 comm="httpd" name="index.php" dev=sda1 ino=2553454
> > > scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:tmp_t:s0
> > > tclass=file
> > >
> > > Why didn't I have it with the old version?
> >
> > The old version was probably installed properly...
> >
> > > I know there are booleans related to httpd:
> > >
> > > # getsebool -a | grep httpd
> > > allow_httpd_anon_write --> off
> > > allow_httpd_mod_auth_pam --> off
> > > allow_httpd_sys_script_anon_write --> off
> > > httpd_builtin_scripting --> on
> > > httpd_can_network_connect --> off
> > > httpd_can_network_connect_db --> on
> > > httpd_can_network_relay --> off
> > > httpd_disable_trans --> off
> > > httpd_enable_cgi --> on
> > > httpd_enable_ftp_server --> off
> > > httpd_enable_homedirs --> on
> > > httpd_rotatelogs_disable_trans --> off
> > > httpd_ssi_exec --> on
> > > httpd_suexec_disable_trans --> off
> > > httpd_tty_comm --> off
> > > httpd_unified --> on
> > >
> > > Which one, if any, can solve this problem?
> >
> > None of them. The problem is that the file has the wrong context type,
> > probably due to having bee unpacked in /tmp and copied into your web
> > server area. You need to change the context type of the php files and
> > the directory they are in to httpd_sys_content_t.
> 
> The patch was unpacked in my home directory and copied to
> /var/www/html/domain which is owned by me.
> 
> The upgrade process is:
> $ patch -cl -p1 < phpBB-2.0.19_to_2.0.21.patch
> 
> This changes already existing files. And it also changes their
> contexts to tmp_t as patch uses the /tmp directory for temporary
> files:
> 
> $ ls -aZ
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t .
> drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t ..
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t admin
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t cache
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            common.php
> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t config.php
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t db
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t docs
> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t extension.inc
> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t faq.php
> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t groupcp.php
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t images
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t includes
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            index.php
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t language
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            login.php
> -rw-rw-r--  cpn  cpn  user_u:object_r:tmp_t            memberlist.php
> -rw-rw-r--  cpn  cpn  user_u:object_r:httpd_sys_content_t memberlist.php.orig
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            modcp.php
> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t
> phpBB-2.0.19_to_2.0.21.patch
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            posting.php
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            privmsg.php
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            profile.php
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            search.php
> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t templates
> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t viewforum.php
> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t viewonline.php
> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            viewtopic.php
> 
> I changed the contexts back with chcon:
> 
> $ chcon -R -t httpd_sys_content_t *
> 
> Is it necessary to use chcon whenever a patch is applied or is there a
> way to change patch's behavior or some selinux configuration?

It'll be safest to check contexts after using patch and fix them if
necessary. In this particular case you might avoid the problem by
persuading patch to use a temporary directory that has the
httpd_sys_content_t type, but that approach won't work in all cases.

Paul.


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux