Page 1 of 1
Selinux disallow file uploads
Posted: 2015/05/02 14:49:01
by agriz
Is there anyway to turn on selinux to upload files.
Right now it is disabled and the file uploads works good.
setenforce Permissive
i don't want to disable selinux
Please help
Thanks
Re: Selinux disallow file uploads
Posted: 2015/05/02 16:15:25
by TrevorH
If you are permssive now then look in your audit log to see if anything was being denied (but allowed due to permissive). If so then run those alerts through audit2allow to generate a policy to allow them. Use aureport, ausearch, audit2allow.
Re: Selinux disallow file uploads
Posted: 2015/05/03 08:34:23
by agriz
Code: Select all
type=AVC msg=audit(1430642939.509:7804): avc: denied { create } for pid=xxxxx comm="php-fpm" name="ad9061aa5dd6f1d2a601af09c760d2c0.jpg" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1430643102.845:7805): arch=c000003e syscall=2 success=yes exit=5 a0=7f6718f1de70 a1=241 a2=1b6 a3=1 items=0 ppid=xxxxx pid=xxxxx auid=xxxxxxxx uid=xx gid=xx euid=xx suid=xx fsuid=xx egid=xx sgid=xx fsgid=xx tty=(none) ses=xcxcxcxc comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
These are the last two messages. Is it safe to share in public forum?
I have hidden some of the id numbers here.
Does it block php-fpm's actions?
Re: Selinux disallow file uploads
Posted: 2015/05/03 10:45:56
by TrevorH
That top AVC shows that you have tried to write to a directory that is not labelled with the correct context or that the place you try to write to is not correct. The target of the write is labelled system_u:object_r:httpd_sys_content_t:s0 and the process that is trying to write to it has a context of scontext=system_u:system_r:httpd_t:s0 and httpd_t is not allowed to write to httpd_sys_content_t (nor should it be allowed to).
Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).
There's no sensitive information in the AVC output and all of it can safely be posted.
Re: Selinux disallow file uploads
Posted: 2015/05/03 11:21:41
by agriz
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...
Re: Selinux disallow file uploads
Posted: 2015/05/03 11:36:45
by agriz
i store files at /var/www/public_html/uploads
I use codeigniter
index.php is placed in public_html
system
application are placed in /var/www
i was getting forbidden error.
so i executed this.
-Rt httpd_sys_content_t /path/to/www
-Rt httpd_sys_content_t /path/to/www/public_htmls/
Please advice
Re: Selinux disallow file uploads
Posted: 2015/05/03 17:29:17
by agriz
TrevorH wrote:That top AVC shows that you have tried to write to a directory that is not labelled with the correct context or that the place you try to write to is not correct. The target of the write is labelled system_u:object_r:httpd_sys_content_t:s0 and the process that is trying to write to it has a context of scontext=system_u:system_r:httpd_t:s0 and httpd_t is not allowed to write to httpd_sys_content_t (nor should it be allowed to).
Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).
There's no sensitive information in the AVC output and all of it can safely be posted.
How do i find/choose the right path to upload?
Please advice.
Thanks
Re: Selinux disallow file uploads
Posted: 2015/05/04 14:36:12
by agriz
Hi
Please advice..
Re: Selinux disallow file uploads
Posted: 2015/05/11 13:21:14
by jyoung
agriz wrote:drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...
I'm assuming that this was a listing of your public uploads folder, but only after you'd manually changed file contexts. Searching one of my RHEL 7 servers, I see that this is true:
Code: Select all
sesearch -A -C -s httpd_t -c file -p write | grep public
DT allow httpd_t public_content_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_anon_write ]
So, with that information, what if you execute the following?
Code: Select all
semanage fcontext -a -t public_content_rw_t "/var/www/html/public_htmls(/.*)?"
semanage boolean --modify --on httpd_anon_write
restorecon -R -v /var/www/ ## To fix any "chcon" work that you've done