Apache Httpd, PHP, Smarty and SELinux

[Daniel J Walsh]

Ingemar Nilsson wrote:
> Hi.
> 
> Yesterday I set up a small PHP web service on one of our CentOS 5
> servers. It uses Smarty for templating, with the dynamically compiled
> templates being stored in a directory with SELinux context
> root:object_r:httpd_sys_content_t. The system runs with SELinux in
> enforcing mode, with httpd using the context root:system_u:httpd_t.
> 
> For the fun of it, I looked through the SELinux policy allow rules, but
> I couldn't find a rule that says that processes in the httpd_t domain
> can write to files labeled httpd_sys_content_t, but it does anyway.
> 
> I got the (supposedly) complete list of active policy rules using the
> command
> 
> sesearch -a
> 
> Running the command
> 
> sesearch -a | grep 'httpd_t ' | grep httpd_sys_content_t
> 
> produces the following list:
> 
>    allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
>    allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock
> search };
>    allow httpd_t httpd_sys_content_t : lnk_file { ioctl read getattr
> lock };
>    allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
>    allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock
> search };
>    allow httpd_t httpd_sys_content_t : lnk_file { read getattr };
>    type_transition httpd_t httpd_sys_content_t : process
> httpd_sys_script_t;
> 
> I don't see any rule that allows httpd_t processes to write to
> httpd_sys_content_t directories. What is going on?
> 
> Regards
> Ingemar
> 
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
sesearch does not give you attributes.

Could be a line like the following
   allow @ttr1154 @ttr0504 : file { ioctl read write create getattr
setattr lock append unlink link rename open };

What is the context of the files that get created?