Bug 588995 - SELinux prevented httpd (/usr/sbin/httpd) write access to settings.php.
Summary: SELinux prevented httpd (/usr/sbin/httpd) write access to settings.php.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:c8bbc021505...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-05 04:23 UTC by speamr18
Modified: 2010-12-16 03:42 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-05-05 15:18:46 UTC
Type: ---

Attachments (Terms of Use)

Description speamr18 2010-05-05 04:23:02 UTC

SELinux prevented httpd (/usr/sbin/httpd) write access to settings.php.

Detailed Description:

SELinux prevented httpd write access to settings.php. httpd scripts are not
allowed to write to content without explicit labeling of all files. If
settings.php is writable content. it needs to be labeled httpd_sys_content_rw_t
or if all you need is append you can label it httpd_sys_content_ra_t. Please
refer to 'man httpd_selinux' for more information on setting up httpd and

Allowing Access:

You can alter the file context by executing chcon -R -t httpd_sys_content_rw_t
'settings.php' You must also change the default file context files on the system
in order to preserve them even on a full relabel. "semanage fcontext -a -t
httpd_sys_content_rw_t 'settings.php'"

Fix Command:

chcon -R -t httpd_sys_content_rw_t 'settings.php'

Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects                settings.php [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           httpd-2.2.15-1.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-10.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   httpd_write_content
Host Name                     (removed)
Platform                      Linux (removed) #1 SMP
                              Wed Apr 28 15:48:01 UTC 2010 x86_64 x86_64
Alert Count                   10
First Seen                    Tue 04 May 2010 10:54:01 PM CDT
Last Seen                     Tue 04 May 2010 11:10:33 PM CDT
Local ID                      3fe96339-dd90-4b9b-8ac7-2f1e069002ef
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1273032633.435:32935): avc:  denied  { write } for  pid=2997 comm="httpd" name="settings.php" dev=dm-0 ino=132528 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1273032633.435:32935): arch=c000003e syscall=21 success=no exit=-13 a0=7f0d702bef10 a1=2 a2=0 a3=7f0d6faa3690 items=0 ppid=2918 pid=2997 auid=4294967295 uid=48 gid=487 euid=48 suid=48 fsuid=48 egid=487 sgid=487 fsgid=487 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

Hash String generated from  httpd_write_content,httpd,httpd_t,httpd_sys_content_t,file,write
audit2allow suggests:

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_sys_content_t:file write;

Comment 1 Miroslav Grepl 2010-05-05 10:16:29 UTC
Where is the settings.php file located? It should be labeled as httpd_sys_content_rw_t.

Comment 2 speamr18 2010-05-05 14:06:55 UTC
(In reply to comment #1)
> Where is the settings.php file located? It should be labeled as
> httpd_sys_content_rw_t.    


This is the default location of the file when drupal in installed via yum. Not sure if putting the file in /etc by default is an over-site or not but drupal will not work with selinux running.

p.s. I also tried another drupal install with he settings file at /var/www/html/sites/default/settings.php
with the same outcome.

Comment 3 Miroslav Grepl 2010-05-05 14:55:03 UTC
Ok, what is your output these commands?

# ls -Z /etc/drupal/default/settings.php
# matchpathcon /etc/drupal/default/settings.php

Comment 4 Daniel Walsh 2010-05-05 15:18:46 UTC
restorecon -R -v /etc/drupal

Will fix the labels.  Similarly restorecon -R -v /var/www/html/sites

speamr18  SELinux is all about the labels not necessarily the location.

man httpd_selinux 

Will explain the labels httpd expects.

Note You need to log in before you can comment on or make changes to this bug.