Description of problem: Unless defined in the php.ini, the default upload directory is /tmp/ which the selinux policy does not allow apache(via php) to work well with. Version-Release number of selected component (if applicable): selinux-policy-targeted-sources-1.17.30-2.126 How reproducible: always Steps to Reproduce: 1. enable selinux 2. use default configs 3. upload file via php to default tmp dir & perform an action Actual results: php script fails because it does not have getattr permission (and more) in /tmp Expected results: script succeeds. Additional info: I'm of the opinion the admin should know where files are going, and should define the temp dir in php accordingly, but this 'should' work if it's the default. Creating /var/www/tmp and defining that in php.ini works because it inherits the permissions from /var/www... Alternative would be to edit the apache contexts which I'm not about to touch....
What avc messages are you seeing?
Below is an excerpt from /var/log/audit resulting from apache+php performing actions on a file in temp (specifically a web application unpacking an archive of photos for processing). type=CWD msg=audit(1148695347.206:38478): cwd="/tmp/2/phpdP1fxF" type=PATH msg=audit(1148695347.206:38478): name="." flags=1 inode=12320797 dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00 :00 type=AVC msg=audit(1148695347.206:38479): avc: denied { search } for pid=17058 comm="sh" name="phpdP1fxF" dev=dm-0 ino =12320797 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_tmp_t tclass=dir type=SYSCALL msg=audit(1148695347.206:38479): arch=40000003 syscall=195 success=no exit=-13 a0=80d178a a1=bfed58d0 a2=65c ff4 a3=876d750 items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sh" exe=" /bin/bash" type=CWD msg=audit(1148695347.206:38479): cwd="/tmp/2/phpdP1fxF" type=PATH msg=audit(1148695347.206:38479): name="." flags=1 inode=12320797 dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00 :00 type=AVC msg=audit(1148695347.210:38480): avc: denied { search } for pid=17058 comm="sh" name="phpdP1fxF" dev=dm-0 ino =12320797 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_tmp_t tclass=dir type=SYSCALL msg=audit(1148695347.210:38480): arch=40000003 syscall=195 success=no exit=-13 a0=80d178a a1=bfed57b0 a2=65c ff4 a3=876d750 items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sh" exe=" /bin/bash" type=CWD msg=audit(1148695347.210:38480): cwd="/tmp/2/phpdP1fxF" type=PATH msg=audit(1148695347.210:38480): name="." flags=1 inode=12320797 dev=fd:00 mode=040755 ouid=48 ogid=48 rdev=00 :00 type=AVC msg=audit(1148695347.333:38481): avc: denied { getattr } for pid=17058 comm="unzip" name="phpdP1fxF" dev=dm-0 ino=12320795 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:httpd_tmp_t tclass=file type=SYSCALL msg=audit(1148695347.333:38481): arch=40000003 syscall=195 success=no exit=-13 a0=8072e04 a1=bfe86f1c a2=65c ff4 a3=bfe86f1c items=1 pid=17058 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="unzip" e xe="/usr/bin/unzip" type=AVC_PATH msg=audit(1148695347.333:38481): path="/tmp/phpdP1fxF" type=CWD msg=audit(1148695347.333:38481): cwd="/tmp/2/phpdP1fxF" type=PATH msg=audit(1148695347.333:38481): name="/tmp/phpdP1fxF" flags=1 inode=12320795 dev=fd:00 mode=0100600 ouid=48 o gid=48 rdev=00:00
Joe and James, does it make sense to allow http cgi scripts to read files created by the apache daemon in /tmp? Can you think of anything that apache might put out there that could be attacked? Should we setup a boolean to allow users to use the /tmp directory? Or force them to create a tmp directory in the /var/www tree? Dan
My gut feeling is that the defaults for php should move to /var/www/tmp (but that is internal, not CGI ... no?). One obvious problem is that if apache can read /tmp it can see all the directory enteries for ssh-agent etc. I don't think anything worthwhile is created in /tmp by apache ... but Joe might know of something. Having a bool that allows tmp_t access would be fair enough (but should probably be off by default ... or it might be good to tie it with the enable_cgi bool).
I would rather have apache kept out of /tmp and have it use /var/www/tmp or some other similar directory. I think selinux is doing the right thing by blocking /tmp access, but if people are expecting uploads to 'just work' then defining /var/www/tmp is a quick and simple fix.
There are certainly a few places where PHP will internally create temporary files as part of normal operation (the gd extension will do it when producing image output, for example). I wonder whether creating a new /tmp specifically for use by httpd is a bad precedent to set; if we need a per-daemon /tmp then some I'd have thought we could come up with some better way to do it than creating N directories for N daemons But yes, doing this would probably be better than giving httpd read access to /tmp by default, and it would be simple to do.
I agree that this could become cluttered if it's not handled properly. Currently there are several instances where there are per-daemon directories already, /var/cache, /var/log, /etc/ etc, but they're all mostly organized. What about having something like /tmp/httpd/ or /var/tmp/httpd ? Granted /tmp is fair game for cleaning and may not be the right choice, but hopefully I'm getting the general idea across.
So we need to change apache, so reassigning bug?
There is no "apache", only "httpd" :) But anyway, as I said, we need some distro-wide standard on how to do per-daemon /tmp, putting one in /var/www just for httpd is not really viable. It needs to be tmpwatch-managed, and so it can't be under /tmp or /var/tmp.
In retrospect I can't see why the httpd context can't simply be allowed to read and write files to /tmp (but not, of course, execute; ability to get directory listing should also be restricted I guess). Creating a separate directory seems like overkill. Can you make this change in the policy, Dan?
Fixed in selinux-policy-targeted-1.17.30-2.146
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
I can't reproduce it ... What I'm doing wrong? AVC messages maybe generate leaked descriptor ... Uploads works, even copy files in /tmp by php script. I have noticed strange thing: when I'm not logged, no "avc: denied" message. It obviously isn't depending on tested architecture. # cat /var/www/html/uploader.php <?php $target_path = "/tmp/"; chdir($target_path); $target_path = $target_path . basename( $_FILES['uploadedfile']['name']); if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "File ". basename( $_FILES['uploadedfile']['name']). " has been uploaded."; } else{ echo "An error."; } exec("unzip $target_path"); exec("cp /tmp/test/* ."); ?> # cat /var/www/html/index.html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title></title> </head> <body> <form enctype="multipart/form-data" action="uploader.php" method="POST"> Vyber soubor: <input name="uploadedfile" type="file" /><input type="submit" value="OK" /> </form> </body> </html> # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.145.noarch # hostname i386-4as.test.redhat.com # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_syslog_to_console inactive allow_ypbind active dhcpd_disable_trans inactive httpd_builtin_scripting active httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active ...
Created attachment 160870 [details] StrangeAVCdenied
Created attachment 160873 [details] it accidentally happened when I was logged off ... It is worth to mention, that my pwd after ssh is /root the path /opt/Errata/2007:0741/tps as you can see in log I created an hour ago.
In RHEL4 you need to turn on two booleans to get apache to use nfs setsebool -P httpd_enable_homedirs=1 use_nfs_home_dirs=1
Created attachment 161191 [details] It hasn't fixed - after uploads it throws following messages - but it works. Test script has been used the same as listed in Comment #15. # getenforce Enforcing # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.146.noarch # getsebool -a | grep 'httpd_enable_homedirs\|use_nfs_home_dirs' httpd_enable_homedirs --> active use_nfs_home_dirs --> active
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0741.html