On Oct 4, 2011, at 7:00 AM, Vadym Chepkov wrote: > > On Oct 3, 2011, at 12:39 PM, Dominick Grift wrote: > >> On Mon, 2011-10-03 at 12:29 -0400, Scott Gifford wrote: >>> PHP uploads files into a temporary directory, where they are given the >>> label "httpd_tmp_t". When a PHP script processes them, it >>> calls move_uploaded_file to move the newly uploaded file into its >>> final location. This function does some validity checks, then does a >>> rename(2) from the temporary location to the location passwd to >>> move_uploaded_file. >> >> Your web app would need to copy the file instead. >> >> Or why not make your app create the file in the final destination in the >> first place. then rename it there. >> >>> The problem is that after the rename, the file still retains its >>> original label, "httpd_tmp_t". That makes it inconsistent with files >>> and directories which weren't uploaded, and requires some policy >>> gymnastics to take into account that anything that could have been >>> uploaded might have the "httpd_tmp_t" type. >> >>> I am wondering if there is some good way to automatically relabel this >>> file when it is renamed? >>> >>> I would like for the PHP application to work on SELinux and >>> non-SELinux systems, so I would prefer not to make calls out to >>> SELinux-specific scripts and programs (like restorecon). What I would >>> really like is some configuration option that would just relabel files >>> according to their destination when they are rename(2)'d, but that may >>> be asking too much. :-) >> >> That is not practical because whatever moves the file might not be >> allowed to relabelto the target location type. >> >> So i do not think that this is feasible. >> >>> >>> Thanks for any advice, >>> >>> >>> -----Scott. >>> > > > Hi, > > I think it's one of those cases where if a person asks how to shoot himself, he shouldn't be provided any recipes :) > > I understand where this requirement is coming from. Many current web engines nowadays allow you to install "extensions" or "plugins" via web interface. > This is convenient, but absolutely insecure - think about it, you are trying to allow application to do self code modifications, the very thing that SELinux should help you to prevent. > A bug in wordpress/phpbb/cms made simple/whatever together with this SELinux backdoor would allow installation of a malicious code on your server. I bet you have > GRANT ALL PRIVILEGES ON database.* to webuser, and you will wake up with no website, for example, or stolen sensitive data. > Convenience and security most times contradict each other. Install your php code manually. > > Vadym > In those cases were uploads are indeed necessary - never had an issue : # wiki /var/www/vvcwiki/bin(/.*)? gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0) /var/www/vvcwiki/images(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) /var/www/vvcwiki/cache(/.*)? gen_context(system_u:object_r:httpd_mediawiki_rw_content_t,s0) # chat /var/www/phpfreechat/data(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) # Google sitemap /var/www/(.*/)?sitemap\.xml(\.gz)? gen_context(system_u:object_r:httpd_cache_t,s0) # Kayako /var/www/kayako/__swift/cache(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/kayako/__swift/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/kayako/__swift/geoip(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/kayako/__swift/log(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) # wordpress /var/www/.*/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) # phpbb /var/www/phpbb/cache(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/phpbb/files(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) /var/www/phpbb/images(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) Cheers, Vadym -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
