Apache Httpd, PHP, Smarty and SELinux
Ingemar Nilsson
init at kth.se
Wed Jul 30 14:10:26 UTC 2008
Hi.
Yesterday I set up a small PHP web service on one of our CentOS 5
servers. It uses Smarty for templating, with the dynamically compiled
templates being stored in a directory with SELinux context
root:object_r:httpd_sys_content_t. The system runs with SELinux in
enforcing mode, with httpd using the context root:system_u:httpd_t.
For the fun of it, I looked through the SELinux policy allow rules, but
I couldn't find a rule that says that processes in the httpd_t domain
can write to files labeled httpd_sys_content_t, but it does anyway.
I got the (supposedly) complete list of active policy rules using the
command
sesearch -a
Running the command
sesearch -a | grep 'httpd_t ' | grep httpd_sys_content_t
produces the following list:
allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock
search };
allow httpd_t httpd_sys_content_t : lnk_file { ioctl read getattr
lock };
allow httpd_t httpd_sys_content_t : file { ioctl read getattr lock };
allow httpd_t httpd_sys_content_t : dir { ioctl read getattr lock
search };
allow httpd_t httpd_sys_content_t : lnk_file { read getattr };
type_transition httpd_t httpd_sys_content_t : process
httpd_sys_script_t;
I don't see any rule that allows httpd_t processes to write to
httpd_sys_content_t directories. What is going on?
Regards
Ingemar
More information about the fedora-selinux-list
mailing list