making a user create files as "user_u:system_r:httpd_t"

Stephen Smalley sds at tycho.nsa.gov
Thu Feb 1 12:25:51 UTC 2007


On Thu, 2007-02-01 at 07:41 +0000, Paul Howarth wrote:
> On Thu, 2007-02-01 at 01:57 +0000, Hugo Martin Campos V. wrote:
> > Hello list,
> > 
> > I am analyzing a HTTPd server working with SELinux in permissive mode
> > before I enforce it. The problem I've seen so far begins when
> > the .html .php files get uploaded by the person in charge and they are
> > labeled as "system_u:object_r:default_t" and the label needs to be
> > "user_u:system_r:httpd_t"
> > 
> > The resulting error:
> > avc:  denied  { getattr } for  pid=8244 comm="httpd" name="/" dev=hda5
> > ino=2 scontext=user_u:system_r:httpd_t
> > tcontext=system_u:object_r:default_t tclass=dir
> > 
> > I added that folder to be labeled as "user_u:system_r:httpd_t" in
> > "/etc/selinux/targeted/src/policy/file_contexts/file_contexts" to
> > relabel it with "fixfiles restore" (and it works) but it's not
> > practical to relabel everything everytime that user uploads a webpage.
> > 
> > What should I do?? My knowledge goes as far as labeling, do I need to
> > set roles? or should I follow audit2allow advice for now. It would
> > just be cool to autolabel every file uploaded by that user as
> > "user_u:system_r:httpd_t"
> 
> How is the person uploading the files and where in the directory
> hierarchy are they uploading them to?

Note btw that user_u:system_r:httpd_t is a process context, not a
context for files.  You likely want user_u:object_r:httpd_sys_content_t
instead.

By default, files should inherit their type from the parent directory,
so if you were copying files to /var/www/html, it should pick up the
right context automatically.  But if you upload to a different directory
and then move the files into place, the file will inherit the context of
the directory in which it was originally created and mv will seek to
preserve the context.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list