Bug 289141 - Refused drupal write access to /tmp
Refused drupal write access to /tmp
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-13 07:45 EDT by Dave Pawson
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-17 16:03:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log from newly installed OS (91.54 KB, text/plain)
2007-09-18 02:39 EDT, Dave Pawson
no flags Details

  None (edit)
Description Dave Pawson 2007-09-13 07:45:36 EDT
Description of problem: Drupal attempted to write to /tmp and selinux stopped it.


Version-Release number of selected component (if applicable):
As installed with FC7


How reproducible:
Messy. Install Drupal. Try to set up a page with an image.


Steps to Reproduce:
1.http://localhost/?q=admin/build/themes/settings/chameleon
2.Enter an image location
3. Read the results.

user warning: Can't create/write to file '/tmp/#sql_1796_0.MYI' (Errcode: 13)
query: SELECT DISTINCT b.* FROM blocks b LEFT JOIN blocks_roles r ON b.module =
r.module AND b.delta = r.delta WHERE b.theme = 'chameleon' AND b.status = 1 AND
(r.rid IN (2) OR r.rid IS NULL) ORDER BY b.region, b.weight, b.module in
/var/www/html/includes/database.mysql.inc on line 172.


  
Actual results:

Selinux reports 

SummarySELinux is preventing /usr/libexec/mysqld (mysqld_t) "search" to tmp
(httpd_sys_script_rw_t).Detailed DescriptionSELinux denied access requested by
/usr/libexec/mysqld. It is not expected that this access is required by
/usr/libexec/mysqld and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.Allowing AccessSometimes labeling
problems can cause SELinux denials. You could try to restore the default system
file context for tmp, restorecon -v tmp If this does not work, there is
currently no automatic way to allow this access. Instead, you can generate a
local policy module to allow this access - see FAQ Or you can disable SELinux
protection altogether. Disabling SELinux protection is not recommended. Please
file a bug report against this package.




Expected results:


Additional info:
Comment 1 Daniel Walsh 2007-09-13 12:19:19 EDT
I have no idea what drupal is.  But this looks like you have mysql tring to read
a tmp directory labeled httpd_sys_script_rw_t?

/tmp should never be labeled httpd_sys_script_rw_t?
Comment 2 Dave Pawson 2007-09-13 13:51:25 EDT
It isn't.

That's the selinux context.
Comment 3 Daniel Walsh 2007-09-13 16:32:20 EDT
You have a denial of mysqld_t searching a tmp directory labeled
httpd_sys_script_rw_t.  This is bad labeling.  

I don't know what you mean by that's the selinux context.  I know it is.  I
believe someone has used chcon -t httpd_sys_script_rw_t on a directory named "tmp"
mysql is trying to search this directory and expects it to be labeled tmp_t.

Comment 4 Dave Pawson 2007-09-15 06:53:55 EDT
Yes, it was me.
I sought and failed to find better documentation on selinux for setting
contexts. Only stuff I found was marked FC5. 

I lost  xfs for the same reason.

I re-installed FC7 to clear it up. Even that reports violations on
a default install! 

Now running  selinux on 'tell me' mode. Waste of space currently and bloody
annoying.

Clear this bug if you wish.

regards 


Comment 5 Daniel Walsh 2007-09-17 16:03:40 EDT
If you are yum updated to latest fc7 policy and labeling is correct, you should
not see avc messages.  If you do please send me the /var/log/audit/audit.log.
Comment 6 Dave Pawson 2007-09-18 02:39:54 EDT
Created attachment 198101 [details]
audit log from newly installed OS

Note You need to log in before you can comment on or make changes to this bug.