Bug 164866 - default SELinux context of /var/cache/php-eaccelerator incorrect
default SELinux context of /var/cache/php-eaccelerator incorrect
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: php-eaccelerator (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Matthias Saou
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-01 21:41 EDT by Ian Neubert
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-12-20 09:01:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ian Neubert 2005-08-01 21:41:30 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20050516 Firefox/1.0.4

Description of problem:
The default context of the /var/cache/php-eaccelerator is system_u:object_r:var_t. This is incorrect and will not work on a machine using SELinux. It should be set to: system_u:object_r:httpd_cache_t. The following line fixes the problem.

chcon -Rt httpd_cache_t /var/cache/php-eaccelerator

Version-Release number of selected component (if applicable):
5.0.4_0.9.3-3.fc4

How reproducible:
Always

Steps to Reproduce:
1. yum install php-eaccelerator
2. setenforce 1
3. service httpd start
4. tail /var/log/audit/audit.log
  

Actual Results:  type=AVC msg=audit(1122946107.555:942864): avc:  denied  { read } for  pid=3880 comm="httpd" name="eaccelerator-86746.8172501" dev=dm-0 ino=951544 scontext=root:system_r:httpd_t tcontext=system_u:object_r:var_t tclass=file
type=SYSCALL msg=audit(1122946107.555:942864): arch=40000003 syscall=5 success=no exit=-13 a0=bfaa4670 a1=0 a2=312e3634 a3=bfaa4670 items=1 pid=3880 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=CWD msg=audit(1122946107.555:942864):  cwd="/var/www/html"
type=PATH msg=audit(1122946107.555:942864): item=0 name="/var/cache/php-eaccelerator/eaccelerator-86746.8172501" flags=101  inode=951544 dev=fd:00 mode=0100600 ouid=48 ogid=48 rdev=00:00

Expected Results:  No errors should have occured.

Additional info:
Comment 1 Matthias Saou 2005-08-02 11:03:55 EDT
What is the proper way to solve this within the package? I really don't know,
myself, and already asked in #150292 (same issue with mmcache) and never got an
answer.

Insight would be very welcome...
Comment 2 Russell Coker 2005-08-03 02:07:14 EDT
/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t   
   
The policy has to be changed to add a line such as the above.  I'll send Dan   
and email and CC fedora-selinux-list.  
  
In future just file bug reports against the SE Linux policy package in 
question. 
 
Note that we won't be making huge changes to SE Linux policy for things in 
extras (IE no changes that break other things).  Also the priority of the 
policy changes will not be as high as it would be for a Fedora Core package.  
But it will get included in future releases. 
Comment 3 Matthias Saou 2005-08-03 07:26:17 EDT
Thanks a lot for the information, I wasn't sure where that needed to be changed.
Would it be possible to also spool an update for Fedora Core 3 for
/var/cache/php-mmcache(/.*)? then? This would fix #150292.
As mmcache isn't maintained anymore, and eaccelerator replaces it (but with
different PHP function names, so it can't be dropped in as a replacement), it's
not needed for FC4.

If the policy change above will also be pushed to FC3, another option would be
for me to rebuild mmcache packages that use the /var/cache/php-eaccelerator/
directory instead. Shouldn't be a problem at all doing so.
Comment 4 Ian Neubert 2005-08-03 13:03:35 EDT
(In reply to comment #2)
> Note that we won't be making huge changes to SE Linux policy for things in 
> extras (IE no changes that break other things).  Also the priority of the 
> policy changes will not be as high as it would be for a Fedora Core package.  
> But it will get included in future releases. 

As a workaround can a package issue the chcon command to make its own changes?
Or is that not the Right Thing to do? I'm curious as to what the Fedora policy
is on this kind of thing for when I write my own packages.
Comment 5 Brandon Amaro 2005-08-07 03:34:50 EDT
The chcon command appears to work as that now my /var/cache/php-eaccelerator
directory is full of cached scripts (before there were none)...
Comment 6 Matthias Saou 2005-11-29 07:27:01 EST
On my current FC4 system, I have both :

/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
/var/cache/php-mmcache(/.*)?      system_u:object_r:httpd_cache_t

Inside /etc/selinux/targeted/contexts/files/file_contexts.

Could you confirm that it now works by default with this?

Note You need to log in before you can comment on or make changes to this bug.