On Wed, 23 Feb 2005 09:49:06 -0500, Colin Walters <walters@xxxxxxxxxx> wrote:
> On Tue, 2005-02-22 at 16:44 -0700, Tom Lisjac wrote:
>
> >I was under the impression that mod_php and the webserver ran in the
> >same context...
> You are correct; mod_php code does run in the same context as Apache
> (i.e. httpd_t), because it runs in-process.
> >avc: denied { getattr } for pid=32122 exe=/usr/bin/aspell
> >path=/tmp/spellkQimNQ dev=hda2 ino=326408
> >scontext=root:system_r:httpd_sys_script_t
> >tcontext=root:object_r:httpd_tmp_t tclass=file
>
> Note however here that the source context is httpd_sys_script_t (not
> httpd_t), which means it's a CGI script. CGI scripts by default run in
> a separate context.
>
> Are you really sure that you don't have an external CGI script being
> run?
You're right. I looked at the php code and aspell is being called
using an exec... which appears to spawn a shell process. I understand
the distinction now... thanks.
> Because as best I can tell, the write was done by the main webserver
> process, and the read is being attempted by a CGI script.
>
> Consider the case where Apache keeps temporary data files containing
> private information in /tmp; in general you don't want CGI scripts to be
> able to read that.
That makes sense... especially for things like session information
that could contain login credentials or other personal data.
> You should probably upgrade to FC3; a huge amount of work has gone into
> the policy (but we still have a lot more to do...).
I'm running FC3 with SELinux enabled on all my internet facing
servers. :) I never got there wih FC2... it was just too difficult.
Many thanks to everyone who contributed to the FC3 revisions and
targeted policy!
-Tom
