Transitions for files.
Daniel J Walsh
dwalsh at redhat.com
Mon Oct 18 14:52:33 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/18/2010 10:46 AM, Vadym Chepkov wrote:
> Hi,
>
> I have an issue I would like to fix properly.
>
> I have a policy for mediawiki defined this way:
>
> apache_content_template(mediawiki)
> apache_search_sys_content(httpd_mediawiki_script_t)
>
> /var/www/mediawiki/bin(/.*)?
> gen_context(system_u:object_r:httpd_mediawiki_script_exec_t,s0)
> /var/www/mediawiki/images(/.*)?
> gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
> /var/www/mediawiki/cache(/.*)?
> gen_context(system_u:object_r:httpd_mediawiki_script_rw_t,s0)
>
> And it works fine. The trouble occurs when you upload a new version
> of an existing file (any file goes under images, by the way)
> I assume mediawiki in this case creates a file in some temp directory,
> removes original file and then moves the file in place.
> This causes the context to be set like this:
>
> d/d6:
> -rw-r--r-- apache apache system_u:object_r:httpd_tmp_t:s0 Speedtest.png
>
> instead of "normal"
>
> d/d3:
> -rw-r--r-- apache apache
> system_u:object_r:httpd_mediawiki_script_rw_t:s0 PuTTY2.png
>
> Here are related AVCs:
>
> time->Mon Oct 18 13:45:03 2010
> type=SYSCALL msg=audit(1287409503.893:6728): arch=c000003e syscall=4
> success=no exit=-13 a0=7fff25eb8490 a1=7fff25eb53c0 a2=7fff25eb53c0
> a3=0 items=0 ppid=14205 pid=14206 auid=4294967295 uid=48 gid=48
> euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
> comm="convert" exe="/usr/bin/convert"
> subj=system_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
> type=AVC msg=audit(1287409503.893:6728): avc: denied { getattr } for
> pid=14206 comm="convert"
> path="/var/www/mediawiki/images/d/d6/Speedtest.png" dev=sda1
> ino=737287 scontext=system_u:system_r:httpd_mediawiki_script_t:s0
> tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
> ----
> time->Mon Oct 18 13:45:03 2010
> type=SYSCALL msg=audit(1287409503.893:6729): arch=c000003e syscall=2
> success=no exit=-13 a0=7fff25eb8490 a1=0 a2=1b6 a3=0 items=0
> ppid=14205 pid=14206 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="convert"
> exe="/usr/bin/convert"
> subj=system_u:system_r:httpd_mediawiki_script_t:s0 key=(null)
> type=AVC msg=audit(1287409503.893:6729): avc: denied { read } for
> pid=14206 comm="convert" name="Speedtest.png" dev=sda1 ino=737287
> scontext=system_u:system_r:httpd_mediawiki_script_t:s0
> tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file
>
>
> I'd rather not allow mediawiki access to generic httpd_tmp_t, so I
> wonder if there is a way to enforce the proper context when file is
> being moved in place?
>
> Thank you,
> Vadym
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Can you find the code that is doing the mv and add a restorecon, or
change it to a cp followed by a rm.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAky8XzEACgkQrlYvE4MpobNr8ACghvKz51f7VjBlurlDuCozML2W
vbYAnj8jKm0t6ggLEe2EyjLvt7cRtUwr
=1BrC
-----END PGP SIGNATURE-----
More information about the selinux
mailing list