-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/03/2011 12:39 PM, Dominick Grift wrote: > On Mon, 2011-10-03 at 12:29 -0400, Scott Gifford wrote: >> PHP uploads files into a temporary directory, where they are >> given the label "httpd_tmp_t". When a PHP script processes them, >> it calls move_uploaded_file to move the newly uploaded file into >> its final location. This function does some validity checks, >> then does a rename(2) from the temporary location to the location >> passwd to move_uploaded_file. > > Your web app would need to copy the file instead. > > Or why not make your app create the file in the final destination > in the first place. then rename it there. > >> The problem is that after the rename, the file still retains its >> original label, "httpd_tmp_t". That makes it inconsistent with >> files and directories which weren't uploaded, and requires some >> policy gymnastics to take into account that anything that could >> have been uploaded might have the "httpd_tmp_t" type. > >> I am wondering if there is some good way to automatically relabel >> this file when it is renamed? >> >> I would like for the PHP application to work on SELinux and >> non-SELinux systems, so I would prefer not to make calls out to >> SELinux-specific scripts and programs (like restorecon). What I >> would really like is some configuration option that would just >> relabel files according to their destination when they are >> rename(2)'d, but that may be asking too much. :-) > > That is not practical because whatever moves the file might not be > allowed to relabelto the target location type. > > So i do not think that this is feasible. > >> >> Thanks for any advice, >> >> >> -----Scott. >> >> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > Either that or make sure the upload directory (hint, don't use /tmp) has the correct label. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6J744ACgkQrlYvE4MpobMvXgCg5RwP41RUKZUmNFSXDFg5xsuR t+4AoN9MV7juEJ+xyylBGD6CdeCzEz1T =2+F3 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
