Bug 427151
Summary: | selinux conflicts with drupal installation... | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ezra Peisach <epeisach> |
Component: | selinux-policy-targeted | Assignee: | Radek Vokál <rvokal> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | feliciano.matias, k.georgiou |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-11-17 22:02:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ezra Peisach
2008-01-01 14:16:07 UTC
(In reply to comment #0) > Description of problem: > > There are several selinux label problems. > Specifically /var/lib/drupal and /etc/drupal both need to be labelled with a > fcontext -t httpd_sys_content_t > > /etc/drupal is where the configuration files are stored and /var/lib/drupal is > where uploads, etc are stored... They are symlinks from /usr/share/drupal/sites > and /usr/share/drupal/files respectively for the case of a R/O /usr. > With the *default* configuration, files are uploaded in /etc/drupal/sites/defaults/files. (In reply to comment #1) > With the *default* configuration, files are uploaded in > /etc/drupal/sites/defaults/files. Oops, it's : /etc/drupal/default/files/ Sorry, forget my previous comments (#1 and #2) because I use drupal-6.0-dev and not drupal-5.5 (I repackaged Fedora src.rpm for drupal-6.0-0dev). Any way, I play around with Drupal and I have some difficulties to get it rigth and secure. For example, I can pointe the browser to http://site.com/drupal/sites/default/settings.php But settings.php contains the uri (with the password) of the database used. As long as php is enabled, it's OK (not really sure). But if php is disabled you can get the file (and any password it contains). Drupal permit to upload files. By *default* uploaded files are public and delivered by apache (not via Drupal). This also bypass any access restriction of Drupal. If the administrator of drupal permit uploading php files (or perl ...), these files can be executed by apache. NB : The administrator of drupal can do this, not only the person who installed Drupal (you strictly follow /usr/share/doc/drupal*/drupal-README.fedora). I'll check the fedora package again when it will have Drupal 6.0 and fill bugzilla if I find some security issue. The drupal package use php in module (by default). Not php in cgi mode. I am not sure this bug belong to selinux-policy-targeted. Ok I am just getting around to looking at this bugzilla. /var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) /usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) Should allow drupal to work. I did not understand the other section. Drupal should not be writing to /etc partition. This is considered a read only partition. Any files that need to be written should be moved to /var/lib/drupal Fixed in selinux-policy-3.0.8-89.fc8 (In reply to comment #5) > [...] > > /usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > I don't need this one. [admin@one ~]$ rpm -q selinux-policy selinux-policy-3.0.8-84.fc8 [admin@one ~]$ ll -Z /usr/share/drupal/ -rw-r--r-- root root system_u:object_r:usr_t:s0 COPYRIGHT.txt -rw-r--r-- root root system_u:object_r:usr_t:s0 cron.php ... Why ? User jkubin's account has been closed Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed. |