Re: Transitions for files.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/18/2010 10:46 AM, Vadym Chepkov wrote:
> Hi,
> 
> I have an issue I would like to fix properly.
> 
> I have a policy for mediawiki defined this way:
> 
> apache_content_template(mediawiki)
> apache_search_sys_content(httpd_mediawiki_script_t)
> 
> /var/www/mediawiki/bin(/.*)?
>        gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
> /var/www/mediawiki/images(/.*)?
>    gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
> /var/www/mediawiki/cache(/.*)?
>    gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
> 
> And it works fine. The trouble occurs  when you upload a new version
> of an existing file (any file goes under images, by the way)
> I assume mediawiki in this case creates a file in some temp directory,
> removes original file and then moves the file in place.
> This causes the context to be set like this:
> 
> d/d6:
> -rw-r--r--  apache apache system_u:object_r:httpd_tmp_t:s0 Speedtest.png
> 
> instead of "normal"
> 
> d/d3:
> -rw-r--r--  apache apache
> system_u:object_r:httpd_mediawiki_script_rw_t:s0 PuTTY2.png
> 
> Here are related AVCs:
> 
> time->Mon Oct 18 13:45:03 2010
> type=SYSCALL msg=audit(1287409503.893:6728): arch=c000003e syscall=4
> success=no exit=-13 a0=7fff25eb8490 a1=7fff25eb53c0 a2=7fff25eb53c0
> a3=0 items=0 ppid=14205 pid=14206 auid=4294967295 uid=48 gid=48
> euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
> comm="convert" exe="/usr/bin/convert"
> subj=system_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
> type=AVC msg=audit(1287409503.893:6728): avc:  denied  { getattr } for
>  pid=14206 comm="convert"
> path="/var/www/mediawiki/images/d/d6/Speedtest.png" dev=sda1
> ino=737287 scontext=system_u:system_r:httpd_mediawiki_script_t:s0
> tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
> ----
> time->Mon Oct 18 13:45:03 2010
> type=SYSCALL msg=audit(1287409503.893:6729): arch=c000003e syscall=2
> success=no exit=-13 a0=7fff25eb8490 a1=0 a2=1b6 a3=0 items=0
> ppid=14205 pid=14206 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="convert"
> exe="/usr/bin/convert"
> subj=system_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
> type=AVC msg=audit(1287409503.893:6729): avc:  denied  { read } for
> pid=14206 comm="convert" name="Speedtest.png" dev=sda1 ino=737287
> scontext=system_u:system_r:httpd_mediawiki_script_t:s0
> tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
> 
> 
> I'd rather not allow mediawiki access to generic httpd_tmp_t, so I
> wonder if there is a way to enforce the proper context when file is
> being moved in place?
> 
> Thank you,
> Vadym
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

Can you find the code that is doing the mv and add a restorecon, or
change it to a cp followed by a rm.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAky8XzEACgkQrlYvE4MpobNr8ACghvKz51f7VjBlurlDuCozML2W
vbYAnj8jKm0t6ggLEe2EyjLvt7cRtUwr
=1BrC
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux