Selinux disallow file uploads
Selinux disallow file uploads
Is there anyway to turn on selinux to upload files.
Right now it is disabled and the file uploads works good.
setenforce Permissive
i don't want to disable selinux
Please help
Thanks
Right now it is disabled and the file uploads works good.
setenforce Permissive
i don't want to disable selinux
Please help
Thanks
Re: Selinux disallow file uploads
If you are permssive now then look in your audit log to see if anything was being denied (but allowed due to permissive). If so then run those alerts through audit2allow to generate a policy to allow them. Use aureport, ausearch, audit2allow.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Selinux disallow file uploads
Code: Select all
type=AVC msg=audit(1430642939.509:7804): avc: denied { create } for pid=xxxxx comm="php-fpm" name="ad9061aa5dd6f1d2a601af09c760d2c0.jpg" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
type=SYSCALL msg=audit(1430643102.845:7805): arch=c000003e syscall=2 success=yes exit=5 a0=7f6718f1de70 a1=241 a2=1b6 a3=1 items=0 ppid=xxxxx pid=xxxxx auid=xxxxxxxx uid=xx gid=xx euid=xx suid=xx fsuid=xx egid=xx sgid=xx fsgid=xx tty=(none) ses=xcxcxcxc comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
I have hidden some of the id numbers here.
Does it block php-fpm's actions?
Re: Selinux disallow file uploads
That top AVC shows that you have tried to write to a directory that is not labelled with the correct context or that the place you try to write to is not correct. The target of the write is labelled system_u:object_r:httpd_sys_content_t:s0 and the process that is trying to write to it has a context of scontext=system_u:system_r:httpd_t:s0 and httpd_t is not allowed to write to httpd_sys_content_t (nor should it be allowed to).
Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).
There's no sensitive information in the AVC output and all of it can safely be posted.
Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).
There's no sensitive information in the AVC output and all of it can safely be posted.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Selinux disallow file uploads
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...
Re: Selinux disallow file uploads
i store files at /var/www/public_html/uploads
I use codeigniter
index.php is placed in public_html
system
application are placed in /var/www
i was getting forbidden error.
so i executed this.
-Rt httpd_sys_content_t /path/to/www
-Rt httpd_sys_content_t /path/to/www/public_htmls/
Please advice
I use codeigniter
index.php is placed in public_html
system
application are placed in /var/www
i was getting forbidden error.
so i executed this.
-Rt httpd_sys_content_t /path/to/www
-Rt httpd_sys_content_t /path/to/www/public_htmls/
Please advice
Re: Selinux disallow file uploads
How do i find/choose the right path to upload?TrevorH wrote:That top AVC shows that you have tried to write to a directory that is not labelled with the correct context or that the place you try to write to is not correct. The target of the write is labelled system_u:object_r:httpd_sys_content_t:s0 and the process that is trying to write to it has a context of scontext=system_u:system_r:httpd_t:s0 and httpd_t is not allowed to write to httpd_sys_content_t (nor should it be allowed to).
Your upload directory is probably in the wrong location or it has the wrong context. Where is it trying to write to and what is the output from ls -laZ /path/to/upload/directory (obviouosly change that path!).
There's no sensitive information in the AVC output and all of it can safely be posted.
Please advice.
Thanks
Re: Selinux disallow file uploads
Hi
Please advice..
Please advice..
Re: Selinux disallow file uploads
I'm assuming that this was a listing of your public uploads folder, but only after you'd manually changed file contexts. Searching one of my RHEL 7 servers, I see that this is true:agriz wrote:drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 .
drwxr-xr-x. mahesh mahesh unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 2.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
-rw-r--r--. apache apache system_u:object_r:httpd_sys_rw_content_t:s0 *.jpg
...
...
Code: Select all
sesearch -A -C -s httpd_t -c file -p write | grep public
DT allow httpd_t public_content_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; [ httpd_anon_write ]
So, with that information, what if you execute the following?
Code: Select all
semanage fcontext -a -t public_content_rw_t "/var/www/html/public_htmls(/.*)?"
semanage boolean --modify --on httpd_anon_write
restorecon -R -v /var/www/ ## To fix any "chcon" work that you've done
-- Jeremy --