PHP uploads files into a temporary directory, where they are given the label
"httpd_tmp_t". When a PHP script processes them, it calls
move_uploaded_file<http://php.net/manual/en/function.move-uploaded-fil... to
move the newly uploaded file into its final location. This function does
some validity checks, then does a rename(2) from the temporary location to
the location passwd to move_uploaded_file.
The problem is that after the rename, the file still retains its original
label, "httpd_tmp_t". That makes it inconsistent with files and directories
which weren't uploaded, and requires some policy gymnastics to take into
account that anything that could have been uploaded might have the
"httpd_tmp_t" type.
I am wondering if there is some good way to automatically relabel this file
when it is renamed?
I would like for the PHP application to work on SELinux and non-SELinux
systems, so I would prefer not to make calls out to SELinux-specific scripts
and programs (like restorecon). What I would really like is some
configuration option that would just relabel files according to their
destination when they are rename(2)'d, but that may be asking too much. :-)
Thanks for any advice,
-----Scott.