SELinux avc: denied after upgrading phpBB

Paul Howarth paul at city-fan.org
Fri Aug 4 11:13:32 UTC 2006 

Daniel J Walsh wrote:
> Paul Howarth wrote:
>> On Sat, 2006-07-29 at 19:42 -0300, Clodoaldo Pinto wrote:
>>  
>>> 2006/7/29, Paul Howarth <paul at city-fan.org>:
>>>    
>>>> On Sat, 2006-07-29 at 14:56 -0300, Clodoaldo Pinto wrote:
>>>>      
>>>>> FC5. After upgrading phpBB from 2.0.19 to 2.0.21 I get this message:
>>>>>
>>>>> kernel: audit(1154193819.965:244): avc:  denied  { getattr } for
>>>>> pid=10862 comm="httpd" name="index.php" dev=sda1 ino=2553454
>>>>> scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:tmp_t:s0
>>>>> tclass=file
>>>>>
>>>>> Why didn't I have it with the old version?
>>>>>         
>>>> The old version was probably installed properly...
>>>>
>>>>      
>>>>> I know there are booleans related to httpd:
>>>>>
>>>>> # getsebool -a | grep httpd
>>>>> allow_httpd_anon_write --> off
>>>>> allow_httpd_mod_auth_pam --> off
>>>>> allow_httpd_sys_script_anon_write --> off
>>>>> httpd_builtin_scripting --> on
>>>>> httpd_can_network_connect --> off
>>>>> httpd_can_network_connect_db --> on
>>>>> httpd_can_network_relay --> off
>>>>> httpd_disable_trans --> off
>>>>> httpd_enable_cgi --> on
>>>>> httpd_enable_ftp_server --> off
>>>>> httpd_enable_homedirs --> on
>>>>> httpd_rotatelogs_disable_trans --> off
>>>>> httpd_ssi_exec --> on
>>>>> httpd_suexec_disable_trans --> off
>>>>> httpd_tty_comm --> off
>>>>> httpd_unified --> on
>>>>>
>>>>> Which one, if any, can solve this problem?
>>>>>         
>>>> None of them. The problem is that the file has the wrong context type,
>>>> probably due to having bee unpacked in /tmp and copied into your web
>>>> server area. You need to change the context type of the php files and
>>>> the directory they are in to httpd_sys_content_t.
>>>>       
>>> The patch was unpacked in my home directory and copied to
>>> /var/www/html/domain which is owned by me.
>>>
>>> The upgrade process is:
>>> $ patch -cl -p1 < phpBB-2.0.19_to_2.0.21.patch
>>>
>>> This changes already existing files. And it also changes their
>>> contexts to tmp_t as patch uses the /tmp directory for temporary
>>> files:
>>>
>>> $ ls -aZ
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t .
>>> drwxr-xr-x  root root system_u:object_r:httpd_sys_content_t ..
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t admin
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t cache
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            common.php
>>> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t config.php
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t db
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t docs
>>> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t extension.inc
>>> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t faq.php
>>> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t groupcp.php
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t images
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t includes
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            index.php
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t language
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            login.php
>>> -rw-rw-r--  cpn  cpn  user_u:object_r:tmp_t            memberlist.php
>>> -rw-rw-r--  cpn  cpn  user_u:object_r:httpd_sys_content_t 
>>> memberlist.php.orig
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            modcp.php
>>> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t
>>> phpBB-2.0.19_to_2.0.21.patch
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            posting.php
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            privmsg.php
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            profile.php
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            search.php
>>> drwxr-xr-x  cpn  cpn  user_u:object_r:httpd_sys_content_t templates
>>> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t viewforum.php
>>> -rw-r--r--  cpn  cpn  user_u:object_r:httpd_sys_content_t viewonline.php
>>> -rw-r--r--  cpn  cpn  user_u:object_r:tmp_t            viewtopic.php
>>>
>>> I changed the contexts back with chcon:
>>>
>>> $ chcon -R -t httpd_sys_content_t *
>>>
>>> Is it necessary to use chcon whenever a patch is applied or is there a
>>> way to change patch's behavior or some selinux configuration?
>>>     
>>
>> It'll be safest to check contexts after using patch and fix them if
>> necessary. In this particular case you might avoid the problem by
>> persuading patch to use a temporary directory that has the
>> httpd_sys_content_t type, but that approach won't work in all cases.
>>
>> Paul.
>>
>>
>>   
> 
> Can you open a bugzilla on patch.  It should maintain the XATTRs on the 
> file it is patching.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165799

CLOSED WONTFIX

Paul.

More information about the fedora-list mailing list