Paul Howarth wrote:
On Sat, 2006-07-29 at 19:42 -0300, Clodoaldo Pinto wrote:
2006/7/29, Paul Howarth paul@city-fan.org:
On Sat, 2006-07-29 at 14:56 -0300, Clodoaldo Pinto wrote:
FC5. After upgrading phpBB from 2.0.19 to 2.0.21 I get this message:
kernel: audit(1154193819.965:244): avc: denied { getattr } for pid=10862 comm="httpd" name="index.php" dev=sda1 ino=2553454 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=file
Why didn't I have it with the old version?
The old version was probably installed properly...
I know there are booleans related to httpd:
# getsebool -a | grep httpd allow_httpd_anon_write --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_network_connect --> off httpd_can_network_connect_db --> on httpd_can_network_relay --> off httpd_disable_trans --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_rotatelogs_disable_trans --> off httpd_ssi_exec --> on httpd_suexec_disable_trans --> off httpd_tty_comm --> off httpd_unified --> on
Which one, if any, can solve this problem?
None of them. The problem is that the file has the wrong context type, probably due to having bee unpacked in /tmp and copied into your web server area. You need to change the context type of the php files and the directory they are in to httpd_sys_content_t.
The patch was unpacked in my home directory and copied to /var/www/html/domain which is owned by me.
The upgrade process is: $ patch -cl -p1 < phpBB-2.0.19_to_2.0.21.patch
This changes already existing files. And it also changes their contexts to tmp_t as patch uses the /tmp directory for temporary files:
$ ls -aZ drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t admin drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t cache -rw-r--r-- cpn cpn user_u:object_r:tmp_t common.php -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t config.php drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t db drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t docs -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t extension.inc -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t faq.php -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t groupcp.php drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t images drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t includes -rw-r--r-- cpn cpn user_u:object_r:tmp_t index.php drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t language -rw-r--r-- cpn cpn user_u:object_r:tmp_t login.php -rw-rw-r-- cpn cpn user_u:object_r:tmp_t memberlist.php -rw-rw-r-- cpn cpn user_u:object_r:httpd_sys_content_t memberlist.php.orig -rw-r--r-- cpn cpn user_u:object_r:tmp_t modcp.php -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t phpBB-2.0.19_to_2.0.21.patch -rw-r--r-- cpn cpn user_u:object_r:tmp_t posting.php -rw-r--r-- cpn cpn user_u:object_r:tmp_t privmsg.php -rw-r--r-- cpn cpn user_u:object_r:tmp_t profile.php -rw-r--r-- cpn cpn user_u:object_r:tmp_t search.php drwxr-xr-x cpn cpn user_u:object_r:httpd_sys_content_t templates -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t viewforum.php -rw-r--r-- cpn cpn user_u:object_r:httpd_sys_content_t viewonline.php -rw-r--r-- cpn cpn user_u:object_r:tmp_t viewtopic.php
I changed the contexts back with chcon:
$ chcon -R -t httpd_sys_content_t *
Is it necessary to use chcon whenever a patch is applied or is there a way to change patch's behavior or some selinux configuration?
It'll be safest to check contexts after using patch and fix them if necessary. In this particular case you might avoid the problem by persuading patch to use a temporary directory that has the httpd_sys_content_t type, but that approach won't work in all cases.
Paul.
Can you open a bugzilla on patch. It should maintain the XATTRs on the file it is patching.