Selinux disallow file uploads

Support for security such as Firewalls and securing linux
Post Reply
agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Selinux disallow file uploads

Post by agriz » 2015/05/02 14:49:01

Is there anyway to turn on selinux to upload files.
Right now it is disabled and the file uploads works good.

setenforce Permissive
i don't want to disable selinux
Please help

Thanks

User avatar
TrevorH
Forum Moderator
Posts: 27127
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux disallow file uploads

Post by TrevorH » 2015/05/02 16:15:25

If you are permssive now then look in your audit log to see if anything was being denied (but allowed due to permissive). If so then run those alerts through audit2allow to generate a policy to allow them. Use aureport, ausearch, audit2allow.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: Selinux disallow file uploads

Post by agriz » 2015/05/03 08:34:23

Code: Select all

type=AVC msg=audit(1430642939.509:7804): avc:  denied  { create } for  pid=xxxxx comm="php-fpm" name="ad9061aa5dd6f1d2a601af09c760d2c0.jpg" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

type=SYSCALL msg=audit(1430643102.845:7805): arch=c000003e syscall=2 success=yes exit=5 a0=7f6718f1de70 a1=241 a2=1b6 a3=1 items=0 ppid=xxxxx pid=xxxxx auid=xxxxxxxx uid=xx gid=xx euid=xx suid=xx fsuid=xx egid=xx sgid=xx fsgid=xx tty=(none) ses=xcxcxcxc comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
These are the last two messages. Is it safe to share in public forum?
I have hidden some of the id numbers here.

Does it block php-fpm's actions?

User avatar
TrevorH
Forum Moderator
Posts: 27127
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux disallow file uploads

Post by TrevorH » 2015/05/03 10:45:56

That top AVC shows that you have tried to write to a directory that is not labelled with the correct context or that the place you try to write to is not correct. The target of the write is labelled system_u:object_r:httpd_sys_content_t:s0 and the process that is trying to write to it has a context of scontext=system_u:system_r:httpd_t:s0 and httpd_t is not allowed to write to httpd_sys_content_t (nor should it be allowed to).

Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).

There's no sensitive information in the AVC output and all of it can safely be posted.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: Selinux disallow file uploads

Post by agriz » 2015/05/03 11:21:41

drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: Selinux disallow file uploads

Post by agriz » 2015/05/03 11:36:45

i store files at /var/www/public_html/uploads
I use codeigniter

index.php is placed in public_html

system
application are placed in /var/www

i was getting forbidden error.

so i executed this.
-Rt httpd_sys_content_t /path/to/www
-Rt httpd_sys_content_t /path/to/www/public_htmls/

Please advice

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: Selinux disallow file uploads

Post by agriz » 2015/05/03 17:29:17

TrevorH wrote:That top AVC shows that you have tried to write to a directory that is not labelled with the correct context or that the place you try to write to is not correct. The target of the write is labelled system_u:object_r:httpd_sys_content_t:s0 and the process that is trying to write to it has a context of scontext=system_u:system_r:httpd_t:s0 and httpd_t is not allowed to write to httpd_sys_content_t (nor should it be allowed to).

Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).

There's no sensitive information in the AVC output and all of it can safely be posted.
How do i find/choose the right path to upload?
Please advice.

Thanks

agriz
Posts: 267
Joined: 2011/11/19 15:17:40

Re: Selinux disallow file uploads

Post by agriz » 2015/05/04 14:36:12

Hi

Please advice..

User avatar
jyoung
Posts: 102
Joined: 2014/09/22 13:40:31
Location: Nashville, TN, USA

Re: Selinux disallow file uploads

Post by jyoung » 2015/05/11 13:21:14

agriz wrote:drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...
I'm assuming that this was a listing of your public uploads folder, but only after you'd manually changed file contexts. Searching one of my RHEL 7 servers, I see that this is true:

Code: Select all

sesearch -A -C -s httpd_t -c file -p write | grep public
DT allow httpd_t public_content_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_anon_write ]

So, with that information, what if you execute the following?

Code: Select all

semanage fcontext -a -t public_content_rw_t "/var/www/html/public_htmls(/.*)?"
semanage boolean --modify --on httpd_anon_write
restorecon -R -v /var/www/  ## To fix any "chcon" work that you've done
-- Jeremy --

Post Reply

Return to “CentOS 7 - Security Support”