Re: SELinux avc: denied after upgrading phpBB

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Howarth wrote:
On Sat, 2006-07-29 at 19:42 -0300, Clodoaldo Pinto wrote:
2006/7/29, Paul Howarth <paul@xxxxxxxxxxxx>:
On Sat, 2006-07-29 at 14:56 -0300, Clodoaldo Pinto wrote:
FC5. After upgrading phpBB from 2.0.19 to 2.0.21 I get this message:

kernel: audit(1154193819.965:244): avc:  denied  { getattr } for
pid=10862 comm="httpd" name="index.php" dev=sda1 ino=2553454
scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:tmp_t:s0
tclass=file

Why didn't I have it with the old version?
The old version was probably installed properly...

I know there are booleans related to httpd:

# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> on
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> on
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on

Which one, if any, can solve this problem?
None of them. The problem is that the file has the wrong context type,
probably due to having bee unpacked in /tmp and copied into your web
server area. You need to change the context type of the php files and
the directory they are in to httpd_sys_content_t.
The patch was unpacked in my home directory and copied to
/var/www/html/domain which is owned by me.

The upgrade process is:
$ patch -cl -p1 < phpBB-2.0.19_to_2.0.21.patch

This changes already existing files. And it also changes their
contexts to tmp_t as patch uses the /tmp directory for temporary
files:

$ ls -aZ
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t .
drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t ..
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t admin
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t cache
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            common.php
-rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t config.php
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t db
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t docs
-rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t extension.inc
-rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t faq.php
-rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t groupcp.php
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t images
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t includes
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            index.php
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t language
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            login.php
-rw-rw-r--  cpn  cpn  user_u:object_r:tmp_t            memberlist.php
-rw-rw-r--  cpn  cpn  user_u:object_r:httpd_sys_content_t memberlist.php.orig
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            modcp.php
-rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t
phpBB-2.0.19_to_2.0.21.patch
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            posting.php
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            privmsg.php
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            profile.php
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            search.php
drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t templates
-rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t viewforum.php
-rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t viewonline.php
-rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            viewtopic.php

I changed the contexts back with chcon:

$ chcon -R -t httpd_sys_content_t *

Is it necessary to use chcon whenever a patch is applied or is there a
way to change patch's behavior or some selinux configuration?

It'll be safest to check contexts after using patch and fix them if
necessary. In this particular case you might avoid the problem by
persuading patch to use a temporary directory that has the
httpd_sys_content_t type, but that approach won't work in all cases.

Paul.



Can you open a bugzilla on patch. It should maintain the XATTRs on the file it is patching.


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux