Attachment 589956 Details for Bug 829420 – File: description

File: description

description (text/plain), 7.23 KB, created by Steven on 2012-06-06 16:45:10 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Steven

Created: 2012-06-06 16:45:10 UTC

Size: 7.23 KB

patch

obsolete

>SELinux is preventing /usr/bin/php-cgi from 'read' accesses on the file /var/www/php/tmc/public/index.php.
>
>*****  Plugin restorecon (94.8 confidence) suggests  *************************
>
>If you want to fix the label. 
>/var/www/php/tmc/public/index.php default label should be httpd_sys_content_t.
>Then you can run restorecon.
>Do
># /sbin/restorecon -v /var/www/php/tmc/public/index.php
>
>*****  Plugin catchall_labels (5.21 confidence) suggests  ********************
>
>If you want to allow php-cgi to have read access on the index.php file
>Then you need to change the label on /var/www/php/tmc/public/index.php
>Do
># semanage fcontext -a -t FILE_TYPE '/var/www/php/tmc/public/index.php'
>where FILE_TYPE is one of the following: var_lib_t, httpd_php_exec_t, httpd_passwd_exec_t, httpd_nagios_htaccess_t, abrt_t, proc_net_t, abrt_etc_t, lib_t, puppet_tmp_t, ld_so_t, sysfs_t, samba_var_t, afs_cache_t, abrt_helper_exec_t, dirsrv_var_log_t, zarafa_var_lib_t, etc_runtime_t, dirsrv_var_run_t, puppet_var_lib_t, net_conf_t, httpd_var_lib_t, httpd_var_run_t, git_system_content_t, udev_var_run_t, fail2ban_var_lib_t, public_content_t, anon_inodefs_t, systemd_passwd_var_run_t, httpd_awstats_htaccess_t, httpd_dirsrvadmin_htaccess_t, sysctl_kernel_t, httpd_modules_t, httpd_user_htaccess_t, textrel_shlib_t, chroot_exec_t, httpd_sys_content_t, public_content_rw_t, httpd_bugzilla_htaccess_t, httpd_cobbler_htaccess_t, rpm_script_tmp_t, mailman_data_t, httpd_apcupsd_cgi_htaccess_t, httpd_suexec_exec_t, system_dbusd_var_lib_t, application_exec_type, httpd_cvs_htaccess_t, httpd_git_htaccess_t, httpd_sys_htaccess_t, squirrelmail_spool_t, httpd_nutups_cgi_htaccess_t, mailman_cgi_exec_t, abrt_retrace_worker_exec_t, gitosis_var_lib_t, dirsrvadmin_config_t, httpd_prewikka_htaccess_t, httpd_squid_htaccess_t, httpd_dspam_htaccess_t, httpd_munin_htaccess_t, passenger_var_lib_t, passenger_var_run_t, cobbler_var_lib_t, ld_so_cache_t, dirsrvadmin_unconfined_script_exec_t, mailman_archive_t, user_cron_spool_t, bin_t, cert_t, cert_t, httpd_t, lib_t, locale_t, httpd_collectd_htaccess_t, httpd_unconfined_script_exec_t, usr_t, etc_t, etc_t, fonts_t, abrt_retrace_spool_t, proc_t, sysfs_t, httpd_rotatelogs_exec_t, httpd_mojomojo_htaccess_t, httpd_smokeping_cgi_htaccess_t, krb5_keytab_t, passenger_exec_t, nagios_etc_t, nagios_log_t, sssd_public_t, sssd_public_t, httpd_keytab_t, abrt_var_run_t, httpd_config_t, cluster_conf_t, tetex_data_t, httpd_mediawiki_htaccess_t, fonts_cache_t, httpd_exec_t, httpd_lock_t, httpd_log_t, dirsrv_config_t, httpd_tmp_t, sysctl_crypto_t, smokeping_var_lib_t, krb5_conf_t, krb5_conf_t, shell_exec_t, httpd_w3c_validator_htaccess_t, mysqld_etc_t, cvs_data_t, dirsrvadmin_tmp_t, cobbler_etc_t, httpd_helper_exec_t, dbusd_etc_t, dirsrv_share_t, calamaris_www_t, httpd_cache_t, httpd_tmpfs_t, iso9660_t, httpd_squirrelmail_t, httpd_mojomojo_script_exec_t, httpd_bugzilla_ra_content_t, httpd_bugzilla_rw_content_t, httpd_cvs_script_exec_t, httpd_nutups_cgi_script_exec_t, httpd_cvs_ra_content_t, httpd_cvs_rw_content_t, httpd_git_ra_content_t, httpd_git_rw_content_t, httpd_nagios_content_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_w3c_validator_content_t, httpd_nagios_ra_content_t, httpd_nagios_rw_content_t, httpd_apcupsd_cgi_content_t, httpd_nutups_cgi_ra_content_t, httpd_nutups_cgi_rw_content_t, httpd_cobbler_script_exec_t, httpd_mediawiki_script_exec_t, httpd_apcupsd_cgi_ra_content_t, httpd_apcupsd_cgi_rw_content_t, httpd_smokeping_cgi_script_exec_t, httpd_git_content_t, httpd_user_content_t, httpd_smokeping_cgi_content_t, httpd_cvs_content_t, httpd_sys_content_t, httpd_dspam_ra_content_t, httpd_dspam_rw_content_t, httpd_mediawiki_ra_content_t, httpd_mediawiki_rw_content_t, httpd_dspam_script_exec_t, httpd_munin_script_exec_t, httpd_collectd_content_t, httpd_squid_ra_content_t, httpd_squid_rw_content_t, httpd_w3c_validator_script_exec_t, httpd_prewikka_ra_content_t, httpd_prewikka_rw_content_t, httpd_user_script_exec_t, httpd_bugzilla_content_t, httpd_collectd_script_exec_t, httpd_mediawiki_content_t, httpd_prewikka_content_t, httpd_smokeping_cgi_ra_content_t, httpd_smokeping_cgi_rw_content_t, httpd_apcupsd_cgi_script_exec_t, httpd_munin_content_t, httpd_squid_content_t, httpd_awstats_script_exec_t, httpd_dirsrvadmin_content_t, httpd_dirsrvadmin_ra_content_t, httpd_dirsrvadmin_rw_content_t, httpd_squid_script_exec_t, httpd_dspam_content_t, httpd_w3c_validator_ra_content_t, httpd_w3c_validator_rw_content_t, httpd_cobbler_content_t, httpd_collectd_ra_content_t, httpd_collectd_rw_content_t, httpd_nagios_script_exec_t, httpd_awstats_content_t, root_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_awstats_ra_content_t, httpd_awstats_rw_content_t, httpd_cobbler_ra_content_t, httpd_cobbler_rw_content_t, httpd_bugzilla_script_exec_t, httpd_prewikka_script_exec_t, httpd_mojomojo_content_t, httpd_munin_ra_content_t, httpd_munin_rw_content_t, httpd_mojomojo_ra_content_t, httpd_mojomojo_rw_content_t, httpd_nutups_cgi_content_t, httpd_dirsrvadmin_script_exec_t, httpd_sys_script_exec_t, httpd_git_script_exec_t. 
>Then execute: 
>restorecon -v '/var/www/php/tmc/public/index.php'
>
>
>*****  Plugin catchall (1.44 confidence) suggests  ***************************
>
>If you believe that php-cgi should be allowed read access on the index.php file by default.
>Then you should report this as a bug.
>You can generate a local policy module to allow this access.
>Do
>allow this access for now by executing:
># grep php-cgi /var/log/audit/audit.log | audit2allow -M mypol
># semodule -i mypol.pp
>
>Additional Information:
>Source Context                system_u:system_r:httpd_t:s0
>Target Context                unconfined_u:object_r:var_t:s0
>Target Objects                /var/www/php/tmc/public/index.php [ file ]
>Source                        php-cgi
>Source Path                   /usr/bin/php-cgi
>Port                          <Unknown>
>Host                          (removed)
>Source RPM Packages           php-cli-5.3.13-1.fc16.x86_64
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.10.0-86.fc16.noarch
>Selinux Enabled               True
>Policy Type                   targeted
>Enforcing Mode                Enforcing
>Host Name                     (removed)
>Platform                      Linux (removed) 3.3.7-1.fc16.x86_64 #1 SMP Tue
>                              May 22 13:59:39 UTC 2012 x86_64 x86_64
>Alert Count                   2
>First Seen                    Mon 04 Jun 2012 05:14:11 PM CDT
>Last Seen                     Wed 06 Jun 2012 10:22:42 AM CDT
>Local ID                      250d2352-8fae-448a-bd0c-4cd40b8dfb4f
>
>Raw Audit Messages
>type=AVC msg=audit(1338996162.462:100): avc:  denied  { read } for  pid=2867 comm="php-cgi" name="index.php" dev="dm-1" ino=1051782 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
>
>
>type=SYSCALL msg=audit(1338996162.462:100): arch=x86_64 syscall=open success=no exit=EACCES a0=24f5c60 a1=0 a2=1b6 a3=238 items=0 ppid=2865 pid=2867 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=php-cgi exe=/usr/bin/php-cgi subj=system_u:system_r:httpd_t:s0 key=(null)
>
>Hash: php-cgi,httpd_t,var_t,file,read
>
>audit2allow
>
>#============= httpd_t ==============
>allow httpd_t var_t:file read;
>
>audit2allow -R
>
>#============= httpd_t ==============
>allow httpd_t var_t:file read;
>

Actions: View

Attachments on bug 829420: 589956