Selinux disallow file uploads

[agriz]

Is there anyway to turn on selinux to upload files.
Right now it is disabled and the file uploads works good.

setenforce Permissive
i don't want to disable selinux
Please help

Thanks

[TrevorH]

If you are permssive now then look in your audit log to see if anything was being denied (but allowed due to permissive). If so then run those alerts through audit2allow to generate a policy to allow them. Use aureport, ausearch, audit2allow.

[agriz]

Code: Select all

type=AVC msg=audit(1430642939.509:7804): avc:  denied  { create } for  pid=xxxxx comm="php-fpm" name="ad9061aa5dd6f1d2a601af09c760d2c0.jpg" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

type=SYSCALL msg=audit(1430643102.845:7805): arch=c000003e syscall=2 success=yes exit=5 a0=7f6718f1de70 a1=241 a2=1b6 a3=1 items=0 ppid=xxxxx pid=xxxxx auid=xxxxxxxx uid=xx gid=xx euid=xx suid=xx fsuid=xx egid=xx sgid=xx fsgid=xx tty=(none) ses=xcxcxcxc comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)

These are the last two messages. Is it safe to share in public forum?
I have hidden some of the id numbers here.

Does it block php-fpm's actions?

[TrevorH]

That top AVC shows that you have tried to write to a directory that is not labelled with the correct context or that the place you try to write to is not correct. The target of the write is labelled system_u:object_r:httpd_sys_content_t:s0 and the process that is trying to write to it has a context of scontext=system_u:system_r:httpd_t:s0 and httpd_t is not allowed to write to httpd_sys_content_t (nor should it be allowed to).

Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).

There's no sensitive information in the AVC output and all of it can safely be posted.

[agriz]

drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...

[agriz]

i store files at /var/www/public_html/uploads
I use codeigniter

index.php is placed in public_html

system
application are placed in /var/www

i was getting forbidden error.

so i executed this.
-Rt httpd_sys_content_t /path/to/www
-Rt httpd_sys_content_t /path/to/www/public_htmls/

Please advice

[agriz]

That top AVC shows that you have tried to write to a directory that is not labelled with the correct context or that the place you try to write to is not correct. The target of the write is labelled system_u:object_r:httpd_sys_content_t:s0 and the process that is trying to write to it has a context of scontext=system_u:system_r:httpd_t:s0 and httpd_t is not allowed to write to httpd_sys_content_t (nor should it be allowed to).

Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).

There's no sensitive information in the AVC output and all of it can safely be posted.

How do i find/choose the right path to upload?
Please advice.

Thanks

[agriz]

Hi

Please advice..

[jyoung]

drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...

I'm assuming that this was a listing of your public uploads folder, but only after you'd manually changed file contexts. Searching one of my RHEL 7 servers, I see that this is true:

Code: Select all

sesearch -A -C -s httpd_t -c file -p write | grep public
DT allow httpd_t public_content_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_anon_write ]

So, with that information, what if you execute the following?

Code: Select all

semanage fcontext -a -t public_content_rw_t "/var/www/html/public_htmls(/.*)?"
semanage boolean --modify --on httpd_anon_write
restorecon -R -v /var/www/  ## To fix any "chcon" work that you've done