FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-30-2008, 03:51 PM
Daniel J Walsh
 
Default Apache Httpd, PHP, Smarty and SELinux

Ingemar Nilsson wrote:
> Hi.
>
> Yesterday I set up a small PHP web service on one of our CentOS 5
> servers. It uses Smarty for templating, with the dynamically compiled
> templates being stored in a directory with SELinux context
> rootbject_r:httpd_sys_content_t. The system runs with SELinux in
> enforcing mode, with httpd using the context root:system_u:httpd_t.
>
> For the fun of it, I looked through the SELinux policy allow rules, but
> I couldn't find a rule that says that processes in the httpd_t domain
> can write to files labeled httpd_sys_content_t, but it does anyway.
>
> I got the (supposedly) complete list of active policy rules using the
> command
>
> sesearch -a
>
> Running the command
>
> sesearch -a | grep 'httpd_t ' | grep httpd_sys_content_t
>
> produces the following list:
>
> allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
> allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock
> search };
> allow httpd_t httpd_sys_content_t : lnk_file { ioctl read getattr
> lock };
> allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
> allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock
> search };
> allow httpd_t httpd_sys_content_t : lnk_file { read getattr };
> type_transition httpd_t httpd_sys_content_t : process
> httpd_sys_script_t;
>
> I don't see any rule that allows httpd_t processes to write to
> httpd_sys_content_t directories. What is going on?
>
> Regards
> Ingemar
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
sesearch does not give you attributes.

Could be a line like the following
allow @ttr1154 @ttr0504 : file { ioctl read write create getattr
setattr lock append unlink link rename open };

What is the context of the files that get created?

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-30-2008, 06:19 PM
Ingemar Nilsson
 
Default Apache Httpd, PHP, Smarty and SELinux

Daniel J Walsh wrote:


sesearch does not give you attributes.


Attributes? Is there maybe some document explaining them that you can
point me to?


Actually it does give me attributes:

sesearch -a | grep -P '@ttrd{4} @ttrd{4}' | grep ' file '
allow @ttr0269 @ttr0360 : file { ioctl read write create getattr
setattr lock relabelfrom relabelto append unlink link rename execute
swapon quotaon mounton execute_no_trans entrypoint execmod };
allow @ttr1170 @ttr1669 : file { ioctl read write getattr lock
append };
allow @ttr0098 @ttr0115 : file { ioctl read write create getattr
setattr lock relabelfrom relabelto append unlink link rename execute
swapon quotaon mounton execute_no_trans entrypoint execmod };
allow @ttr0098 @ttr0359 : file { ioctl read write create getattr
setattr lock relabelfrom relabelto append unlink link rename execute
swapon quotaon mounton execute_no_trans entrypoint execmod };
allow @ttr0240 @ttr0078 : file { ioctl read write create getattr
setattr lock relabelfrom relabelto append unlink link rename execute
swapon quotaon mounton execute_no_trans entrypoint };

allow @ttr0240 @ttr0078 : file execmod ;


Could be a line like the following
allow @ttr1154 @ttr0504 : file { ioctl read write create getattr
setattr lock append unlink link rename open };


Your exact line could not be found above, but you might have meant it as
an example?



What is the context of the files that get created?


The files all get the context of the parent directory, that is
rootbject_r:httpd_sys_content_t.


Regards
Ingemar

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 02:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org