From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050516 Firefox/1.0.4 Description of problem: The default context of the /var/cache/php-eaccelerator is system_u:object_r:var_t. This is incorrect and will not work on a machine using SELinux. It should be set to: system_u:object_r:httpd_cache_t. The following line fixes the problem. chcon -Rt httpd_cache_t /var/cache/php-eaccelerator Version-Release number of selected component (if applicable): 5.0.4_0.9.3-3.fc4 How reproducible: Always Steps to Reproduce: 1. yum install php-eaccelerator 2. setenforce 1 3. service httpd start 4. tail /var/log/audit/audit.log Actual Results: type=AVC msg=audit(1122946107.555:942864): avc: denied { read } for pid=3880 comm="httpd" name="eaccelerator-86746.8172501" dev=dm-0 ino=951544 scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_t tclass=file type=SYSCALL msg=audit(1122946107.555:942864): arch=40000003 syscall=5 success=no exit=-13 a0=bfaa4670 a1=0 a2=312e3634 a3=bfaa4670 items=1 pid=3880 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd" type=CWD msg=audit(1122946107.555:942864): cwd="/var/www/html" type=PATH msg=audit(1122946107.555:942864): item=0 name="/var/cache/php-eaccelerator/eaccelerator-86746.8172501" flags=101 inode=951544 dev=fd:00 mode=0100600 ouid=48 ogid=48 rdev=00:00 Expected Results: No errors should have occured. Additional info:
What is the proper way to solve this within the package? I really don't know, myself, and already asked in #150292 (same issue with mmcache) and never got an answer. Insight would be very welcome...
/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t The policy has to be changed to add a line such as the above. I'll send Dan and email and CC fedora-selinux-list. In future just file bug reports against the SE Linux policy package in question. Note that we won't be making huge changes to SE Linux policy for things in extras (IE no changes that break other things). Also the priority of the policy changes will not be as high as it would be for a Fedora Core package. But it will get included in future releases.
Thanks a lot for the information, I wasn't sure where that needed to be changed. Would it be possible to also spool an update for Fedora Core 3 for /var/cache/php-mmcache(/.*)? then? This would fix #150292. As mmcache isn't maintained anymore, and eaccelerator replaces it (but with different PHP function names, so it can't be dropped in as a replacement), it's not needed for FC4. If the policy change above will also be pushed to FC3, another option would be for me to rebuild mmcache packages that use the /var/cache/php-eaccelerator/ directory instead. Shouldn't be a problem at all doing so.
(In reply to comment #2) > Note that we won't be making huge changes to SE Linux policy for things in > extras (IE no changes that break other things). Also the priority of the > policy changes will not be as high as it would be for a Fedora Core package. > But it will get included in future releases. As a workaround can a package issue the chcon command to make its own changes? Or is that not the Right Thing to do? I'm curious as to what the Fedora policy is on this kind of thing for when I write my own packages.
The chcon command appears to work as that now my /var/cache/php-eaccelerator directory is full of cached scripts (before there were none)...
On my current FC4 system, I have both : /var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t /var/cache/php-mmcache(/.*)? system_u:object_r:httpd_cache_t Inside /etc/selinux/targeted/contexts/files/file_contexts. Could you confirm that it now works by default with this?