845085 – wordpress automatic update fails with SELinux enforcing=1

Bug 845085 - wordpress automatic update fails with SELinux enforcing=1

Summary: wordpress automatic update fails with SELinux enforcing=1

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-01 17:22 UTC by Matt Domsch
Modified:	2012-08-02 10:57 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-08-02 10:57:55 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matt Domsch 2012-08-01 17:22:07 UTC

Description of problem:

Wordpress has has an admin login mode which prompts you for updates necessary to itself, or to any of the plugins or components of itself.  However, when in enforcing mode, SELinux prevents httpd from doing the actions it needs to update itself.  Disabling enforcing mode momentarily allows the sysadmin to let wordpress update itself.  Below are the audit logs seen after disabling enforcing mode, then doing the wordpress update.

type=AVC msg=audit(1343841178.333:135000): avc:  denied  { write } for  pid=25368 comm="httpd" name="wp-content" dev="xvda1" ino=123487 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
type=AVC msg=audit(1343841178.333:135000): avc:  denied  { add_name } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
type=AVC msg=audit(1343841178.333:135000): avc:  denied  { create } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file
type=AVC msg=audit(1343841178.333:135000): avc:  denied  { write } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" dev="xvda1" ino=123428 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file
type=SYSCALL msg=audit(1343841178.333:135000): arch=c000003e syscall=2 success=yes exit=30 a0=7f339186fb30 a1=241 a2=1b6 a3=38333433312d7473 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841178.333:135001): avc:  denied  { remove_name } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" dev="xvda1" ino=123428 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
type=AVC msg=audit(1343841178.333:135001): avc:  denied  { unlink } for  pid=25368 comm="httpd" name="temp-write-test-1343841178" dev="xvda1" ino=123428 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file
type=SYSCALL msg=audit(1343841178.333:135001): arch=c000003e syscall=87 success=yes exit=0 a0=7f339186fe90 a1=1 a2=0 a3=7fff89e7b910 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841178.347:135002): avc:  denied  { setattr } for  pid=25368 comm="httpd" name=".maintenance" dev="xvda1" ino=123428 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file
type=SYSCALL msg=audit(1343841178.347:135002): arch=c000003e syscall=90 success=yes exit=0 a0=7f3391872b40 a1=1a4 a2=2c a3=7fff89e7b890 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.011:135003): avc:  denied  { create } for  pid=25368 comm="httpd" name="jetpack.tmp" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.011:135003): arch=c000003e syscall=83 success=yes exit=0 a0=7f339187d6a8 a1=1ff a2=8 a3=7fff89e7b910 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.028:135004): avc:  denied  { setattr } for  pid=25368 comm="httpd" name="jetpack.tmp" dev="xvda1" ino=197219 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.028:135004): arch=c000003e syscall=90 success=yes exit=0 a0=7f339187d6a8 a1=1ed a2=3e a3=7fff89e7b890 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.028:135005): avc:  denied  { write } for  pid=25368 comm="httpd" name="jetpack.tmp" dev="xvda1" ino=197219 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=AVC msg=audit(1343841179.028:135005): avc:  denied  { add_name } for  pid=25368 comm="httpd" name="jetpack" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.028:135005): arch=c000003e syscall=83 success=yes exit=0 a0=7f339186f098 a1=1ff a2=8 a3=7fff89e7b910 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.264:135006): avc:  denied  { remove_name } for  pid=25368 comm="httpd" name="jetpack.php" dev="xvda1" ino=174604 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.264:135006): arch=c000003e syscall=87 success=yes exit=0 a0=7f33918bb430 a1=1 a2=0 a3=7fff89e7b910 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1343841179.396:135007): avc:  denied  { rmdir } for  pid=25368 comm="httpd" name="languages" dev="xvda1" ino=174608 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1343841179.396:135007): arch=c000003e syscall=84 success=yes exit=0 a0=7f33918b8d58 a1=1 a2=8 a3=7fff89e7b920 items=0 ppid=947 pid=25368 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=MAC_STATUS msg=audit(1343841184.064:135008): enforcing=1 old_enforcing=0 auid=1000 ses=6932

Version-Release number of selected component (if applicable):
selinux-policy-3.10.0-89.fc16.noarch

How reproducible:
always

Steps to Reproduce:
1. Install F16
2. Install wordpress by hand
3. try upgrading wordpress following admin login
  
Actual results:
Wordpress fails to update itself

Expected results:
Wordpress can update itself

Additional info:

Comment 1 Miroslav Grepl 2012-08-02 10:57:55 UTC

Where are wp-content with other wordpress directories located in your case?

You will need to chanage labeling to httpd_sys_rw_content_t.

Note You need to log in before you can comment on or make changes to this bug.