Daniel J Walsh wrote:
Paul Howarth wrote:
On Sat, 2006-07-29 at 19:42 -0300, Clodoaldo Pinto wrote:
2006/7/29, Paul Howarth <paul@xxxxxxxxxxxx>:
On Sat, 2006-07-29 at 14:56 -0300, Clodoaldo Pinto wrote:
FC5. After upgrading phpBB from 2.0.19 to 2.0.21 I get this message:
kernel: audit(1154193819.965:244): avc: denied { getattr } for
pid=10862 comm="httpd" name="index.php" dev=sda1 ino=2553454
scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:tmp_t:s0
tclass=file
Why didn't I have it with the old version?
The old version was probably installed properly...
I know there are booleans related to httpd:
# getsebool -a | grep httpd
allow_httpd_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> on
httpd_can_network_relay --> off
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> on
httpd_suexec_disable_trans --> off
httpd_tty_comm --> off
httpd_unified --> on
Which one, if any, can solve this problem?
None of them. The problem is that the file has the wrong context type,
probably due to having bee unpacked in /tmp and copied into your web
server area. You need to change the context type of the php files and
the directory they are in to httpd_sys_content_t.
The patch was unpacked in my home directory and copied to
/var/www/html/domain which is owned by me.
The upgrade process is:
$ patch -cl -p1 < phpBB-2.0.19_to_2.0.21.patch
This changes already existing files. And it also changes their
contexts to tmp_t as patch uses the /tmp directory for temporary
files:
$ ls -aZ
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t .
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t admin
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t cache
-rw-r--r-- cpn cpn user_u:object_r:tmp_t common.php
-rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t config.php
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t db
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t docs
-rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t extension.inc
-rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t faq.php
-rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t groupcp.php
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t images
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t includes
-rw-r--r-- cpn cpn user_u:object_r:tmp_t index.php
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t language
-rw-r--r-- cpn cpn user_u:object_r:tmp_t login.php
-rw-rw-r-- cpn cpn user_u:object_r:tmp_t memberlist.php
-rw-rw-r-- cpn cpn user_u:object_r:httpd_sys_content_t
memberlist.php.orig
-rw-r--r-- cpn cpn user_u:object_r:tmp_t modcp.php
-rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t
phpBB-2.0.19_to_2.0.21.patch
-rw-r--r-- cpn cpn user_u:object_r:tmp_t posting.php
-rw-r--r-- cpn cpn user_u:object_r:tmp_t privmsg.php
-rw-r--r-- cpn cpn user_u:object_r:tmp_t profile.php
-rw-r--r-- cpn cpn user_u:object_r:tmp_t search.php
drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t templates
-rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t viewforum.php
-rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t viewonline.php
-rw-r--r-- cpn cpn user_u:object_r:tmp_t viewtopic.php
I changed the contexts back with chcon:
$ chcon -R -t httpd_sys_content_t *
Is it necessary to use chcon whenever a patch is applied or is there a
way to change patch's behavior or some selinux configuration?
It'll be safest to check contexts after using patch and fix them if
necessary. In this particular case you might avoid the problem by
persuading patch to use a temporary directory that has the
httpd_sys_content_t type, but that approach won't work in all cases.
Paul.
Can you open a bugzilla on patch. It should maintain the XATTRs on the
file it is patching.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165799
CLOSED WONTFIX
Paul.
