Bug 845085

Summary: wordpress automatic update fails with SELinux enforcing=1
Product: [Fedora] Fedora Reporter: Matt Domsch <matt_domsch>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-02 10:57:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Domsch 2012-08-01 17:22:07 UTC 
Description of problem:

Wordpress has has an admin login mode which prompts you for updates necessary to itself, or to any of the plugins or components of itself.  However, when in enforcing mode, SELinux prevents httpd from doing the actions it needs to update itself.  Disabling enforcing mode momentarily allows the sysadmin to let wordpress update itself.  Below are the audit logs seen after disabling enforcing mode, then doing the wordpress update.

type=AVC msg=audit(1343841178.333:135000): avc:  denied  { write } for  pid=25368 comm="httpd" name="wp-content" dev="xvda1" ino=123487 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
type=AVC msg=audit(1343841178.333:135000): avc:  denied  { add_name } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
type=AVC msg=audit(1343841178.333:135000): avc:  denied  { create } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file
type=AVC msg=audit(1343841178.333:135000): avc:  denied  { write } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" dev="xvda1" ino=123428 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file
type=SYSCALL msg=audit(1343841178.333:135000): arch=c000003e syscall=2 success=yes exit=30 a0=7f339186fb30 a1=241 a2=1b6 a3=38333433312d7473 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841178.333:135001): avc:  denied  { remove_name } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" dev="xvda1" ino=123428 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
type=AVC msg=audit(1343841178.333:135001): avc:  denied  { unlink } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" dev="xvda1" ino=123428 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file
type=SYSCALL msg=audit(1343841178.333:135001): arch=c000003e syscall=87 success=yes exit=0 a0=7f339186fe90 a1=1 a2=0 a3=7fff89e7b910 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841178.347:135002): avc:  denied  { setattr } for  pid=25368 comm="httpd" name=".maintenance" dev="xvda1" ino=123428 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file
type=SYSCALL msg=audit(1343841178.347:135002): arch=c000003e syscall=90 success=yes exit=0 a0=7f3391872b40 a1=1a4 a2=2c a3=7fff89e7b890 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.011:135003): avc:  denied  { create } for  pid=25368 comm="httpd" name="jetpack.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.011:135003): arch=c000003e syscall=83 success=yes exit=0 a0=7f339187d6a8 a1=1ff a2=8 a3=7fff89e7b910 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.028:135004): avc:  denied  { setattr } for  pid=25368 comm="httpd" name="jetpack.tmp" dev="xvda1" ino=197219 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.028:135004): arch=c000003e syscall=90 success=yes exit=0 a0=7f339187d6a8 a1=1ed a2=3e a3=7fff89e7b890 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.028:135005): avc:  denied  { write } for  pid=25368 comm="httpd" name="jetpack.tmp" dev="xvda1" ino=197219 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=AVC msg=audit(1343841179.028:135005): avc:  denied  { add_name } for  pid=25368 comm="httpd" name="jetpack" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.028:135005): arch=c000003e syscall=83 success=yes exit=0 a0=7f339186f098 a1=1ff a2=8 a3=7fff89e7b910 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.264:135006): avc:  denied  { remove_name } for  pid=25368 comm="httpd" name="jetpack.php" dev="xvda1" ino=174604 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.264:135006): arch=c000003e syscall=87 success=yes exit=0 a0=7f33918bb430 a1=1 a2=0 a3=7fff89e7b910 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.396:135007): avc:  denied  { rmdir } for  pid=25368 comm="httpd" name="languages" dev="xvda1" ino=174608 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.396:135007): arch=c000003e syscall=84 success=yes exit=0 a0=7f33918b8d58 a1=1 a2=8 a3=7fff89e7b920 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=MAC_STATUS msg=audit(1343841184.064:135008): enforcing=1 old_enforcing=0 auid=1000 ses=6932

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-89.fc16.noarch

How reproducible:
always

Steps to Reproduce:
1. Install F16
2. Install wordpress by hand
3. try upgrading wordpress following admin login
  
Actual results:
Wordpress fails to update itself

Expected results:
Wordpress can update itself

Additional info:
Comment 1 Miroslav Grepl 2012-08-02 10:57:55 UTC 
Where are wp-content with other wordpress directories located in your case?

You will need to chanage labeling to httpd_sys_rw_content_t.