Bug 145544 - PhpWiki is not allowed to update a file in "targeted" selinux policy
PhpWiki is not allowed to update a file in "targeted" selinux policy
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2005-01-19 10:51 EST by Valeriy Ovechkin
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.17.30-2.70
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-05 03:14:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Valeriy Ovechkin 2005-01-19 10:51:51 EST
Description of problem:
I use a stock FC3, Apache and PhpWiki (edit lib/config.php to use 
flat files). When PhpWiki tries to update a "hitcount" file, it 
fails, and the following audit event is logged:

Jan 19 10:12:58 localhost kernel: audit(1106147578.393:0): avc:  
denied  { append } for  pid=4702 exe=/usr/sbin/httpd 
name=hitcount.data dev=hda4 ino=1802851 
tcontext=root:object_r:httpd_sys_script_rw_t tclass=file

Version-Release number of selected component (if applicable):
PhpWiki 1.2.7 (http://sourceforge.net/projects/phpwiki/)

How reproducible:

Steps to Reproduce:
1. Download PhpWiki 1.2.7 from 
http://sourceforge.net/projects/phpwiki/ and unpack into apache 
directory (/var/www/wiki)

2. Edit /var/www/wiki/lib/config.php to use flat files:
$WhichDatabase = 'file'

3. Change the location of pages from default '/tmp' (look under 
elseif ):
$DBdir = '/var/www/wiki/contents';

4. Change the file context of "contents" to httpd_sys_script_rw_t:
chcon -R root:object_r:httpd_sys_script_rw_t '/var/www/wiki/contents'

5. Visit URL http://localhost/wiki
Actual results:
At the end of the page:
Error while writing page 'hitcount.data' 

Expected results:
No error

Additional info:
This could be a problem with Apache, because if it were running in 
the 'httpd_sys_script_t' domain (instead of 'httpd_t') while 
executing PHP scripts, the following rule would allow the append:

allow httpd_sys_script_t httpd_sys_script_rw_t:{ file ...} {... 
append ...}

But I don't know SELinux that well.
Comment 1 Daniel Walsh 2005-01-19 11:26:48 EST
What version of policy are you running?  The latest version with the 
httpd_unified boolean set should allow this.

Comment 2 Valeriy Ovechkin 2005-02-01 21:15:19 EST
The RPM name is:
Comment 3 Daniel Walsh 2005-02-02 08:04:54 EST
Please do a yum update on selinux-policy-targeted.  You should be running

selinux-policy-targeted-1.17.30-2.70.noarch.rpm or later.

yum upgrade selinux-policy-targeted

Then do a 
setsebool -P httpd_unified 1
To make sure the httpd boolean is set.


Note You need to log in before you can comment on or make changes to this bug.