Bug 427151 - selinux conflicts with drupal installation...
selinux conflicts with drupal installation...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Radek Vokal
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-01 09:16 EST by Ezra Peisach
Modified: 2008-11-17 17:02 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:02:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Ezra Peisach 2008-01-01 09:16:07 EST
Description of problem:

There are several selinux label problems.
Specifically /var/lib/drupal and /etc/drupal both need to be labelled with a
fcontext -t httpd_sys_content_t

/etc/drupal is where the configuration files are stored and /var/lib/drupal is
where uploads, etc are stored... They are symlinks from /usr/share/drupal/sites
and /usr/share/drupal/files respectively for the case of a R/O /usr.

Version-Release number of selected component (if applicable):

drupal-5.5-1.fc8 and selinux-policy-targeted-3.0.8-72.fc8

How reproducible:
Always

Steps to Reproduce:
1. On drupal setup - chmod 666 /etc/drupal/default/settings.php and get an
selinux denial on installation
2. If you have a database setup - enable compressed css files - again you get a
failure and /var/lib/drupal/css is not written.
3.
  
Actual results:
In (1) - supported database not found error.
For (2) - the screen is displayed w/o css settings and looks different...

Expected results:
No selinux denials

Additional info:
My workaround is to

/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/var/lib/drupal(/.*)?"
/usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/etc/drupal(/.*)?"

and restorecon -R /etc/drupal and /var/lib/drupal.

This may be a drupal bug - but I believe this is the proper place...
Comment 1 Féliciano Matias 2008-01-06 16:30:13 EST
(In reply to comment #0)
> Description of problem:
> 
> There are several selinux label problems.
> Specifically /var/lib/drupal and /etc/drupal both need to be labelled with a
> fcontext -t httpd_sys_content_t
> 
> /etc/drupal is where the configuration files are stored and /var/lib/drupal is
> where uploads, etc are stored... They are symlinks from /usr/share/drupal/sites
> and /usr/share/drupal/files respectively for the case of a R/O /usr.
> 

With the *default* configuration, files are uploaded in
/etc/drupal/sites/defaults/files.
Comment 2 Féliciano Matias 2008-01-06 16:31:31 EST
(In reply to comment #1)
> With the *default* configuration, files are uploaded in
> /etc/drupal/sites/defaults/files.

Oops, it's :
/etc/drupal/default/files/
Comment 3 Féliciano Matias 2008-01-06 18:05:58 EST
Sorry, forget my previous comments (#1 and #2) because I use drupal-6.0-dev and
not drupal-5.5 (I repackaged Fedora src.rpm for drupal-6.0-0dev).

Any way, I play around with Drupal and I have some difficulties to get it rigth
and secure.
For example, I can pointe the browser to
http://site.com/drupal/sites/default/settings.php
But settings.php contains the uri (with the password) of the database used. As
long as php is enabled, it's OK (not really sure). But if php is disabled you
can get the file (and any password it contains).

Drupal permit to upload files. By *default* uploaded files are public and
delivered by apache (not via Drupal). This also bypass any access restriction of
Drupal. If the administrator of drupal permit uploading php files (or perl ...),
these files can be executed by apache. NB : The administrator of drupal can do
this, not only the person who installed Drupal (you strictly follow
/usr/share/doc/drupal*/drupal-README.fedora).

I'll check the fedora package again when it will have Drupal 6.0 and fill
bugzilla if I find some security issue.
Comment 4 Féliciano Matias 2008-01-08 12:57:04 EST
The drupal package use php in module (by default). Not php in cgi mode.

I am not sure this bug belong to selinux-policy-targeted.
Comment 5 Daniel Walsh 2008-02-26 16:34:06 EST
Ok I am just getting around to looking at this bugzilla.



/var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)

/usr/share/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)

Should allow drupal to work.  I did not understand the other section.  Drupal
should not be writing to /etc partition.  This is considered a read only partition.

Any files that need to be written should be moved to /var/lib/drupal

Fixed in selinux-policy-3.0.8-89.fc8




Comment 6 Féliciano Matias 2008-02-27 02:30:23 EST
(In reply to comment #5)
> [...]
> 
> /usr/share/drupal(/.*)?   gen_context(system_u:object_r:httpd_sys_content_t,s0)
> 

I don't need this one.
[admin@one ~]$ rpm -q selinux-policy
selinux-policy-3.0.8-84.fc8
[admin@one ~]$ ll -Z /usr/share/drupal/
-rw-r--r--  root root system_u:object_r:usr_t:s0       COPYRIGHT.txt
-rw-r--r--  root root system_u:object_r:usr_t:s0       cron.php
...

Why ?
Comment 7 Tony Fu 2008-10-05 21:28:05 EDT
User jkubin@redhat.com's account has been closed
Comment 8 Daniel Walsh 2008-11-17 17:02:46 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.