Transitions for files.

Vadym Chepkov vchepkov at gmail.com
Mon Oct 18 14:46:37 UTC 2010 

Hi,

I have an issue I would like to fix properly.

I have a policy for mediawiki defined this way:

apache_content_template(mediawiki)
apache_search_sys_content(httpd_mediawiki_script_t)

/var/www/mediawiki/bin(/.*)?
       gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
/var/www/mediawiki/images(/.*)?
   gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
/var/www/mediawiki/cache(/.*)?
   gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)

And it works fine. The trouble occurs  when you upload a new version
of an existing file (any file goes under images, by the way)
I assume mediawiki in this case creates a file in some temp directory,
removes original file and then moves the file in place.
This causes the context to be set like this:

d/d6:
-rw-r--r--  apache apache system_u:object_r:httpd_tmp_t:s0 Speedtest.png

instead of "normal"

d/d3:
-rw-r--r--  apache apache
system_u:object_r:httpd_mediawiki_script_rw_t:s0 PuTTY2.png

Here are related AVCs:

time->Mon Oct 18 13:45:03 2010
type=SYSCALL msg=audit(1287409503.893:6728): arch=c000003e syscall=4
success=no exit=-13 a0=7fff25eb8490 a1=7fff25eb53c0 a2=7fff25eb53c0
a3=0 items=0 ppid=14205 pid=14206 auid=4294967295 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
comm="convert" exe="/usr/bin/convert"
subj=system_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
type=AVC msg=audit(1287409503.893:6728): avc:  denied  { getattr } for
 pid=14206 comm="convert"
path="/var/www/mediawiki/images/d/d6/Speedtest.png" dev=sda1
ino=737287 scontext=system_u:system_r:httpd_mediawiki_script_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
----
time->Mon Oct 18 13:45:03 2010
type=SYSCALL msg=audit(1287409503.893:6729): arch=c000003e syscall=2
success=no exit=-13 a0=7fff25eb8490 a1=0 a2=1b6 a3=0 items=0
ppid=14205 pid=14206 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="convert"
exe="/usr/bin/convert"
subj=system_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
type=AVC msg=audit(1287409503.893:6729): avc:  denied  { read } for
pid=14206 comm="convert" name="Speedtest.png" dev=sda1 ino=737287
scontext=system_u:system_r:httpd_mediawiki_script_t:s0
tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file


I'd rather not allow mediawiki access to generic httpd_tmp_t, so I
wonder if there is a way to enforce the proper context when file is
being moved in place?

Thank you,
Vadym

More information about the selinux mailing list