EnGarde Secure Linux

[Hans Kok]

I had a script in php which worked perfectly for uploading files (images).

Now having engarde, it wont work. Any suggestions ?

I think it is something with the temporary file which php would like to make.

When i use $_FILES['image']['error'] it says '6'.

Found at internet:
Error Messages Explained
Since PHP 4.2.0, PHP returns an appropriate error code along with the file array. The error code can be found in the error segment of the file array that is created during the file upload by PHP. In other words, the error might be found in $_FILES['userfile']['error'].


UPLOAD_ERR_OK
Value: 0; There is no error, the file uploaded with success.

UPLOAD_ERR_INI_SIZE
Value: 1; The uploaded file exceeds the upload_max_filesize directive in php.ini.

UPLOAD_ERR_FORM_SIZE
Value: 2; The uploaded file exceeds the MAX_FILE_SIZE directive that was specified in the HTML form.

UPLOAD_ERR_PARTIAL
Value: 3; The uploaded file was only partially uploaded.

UPLOAD_ERR_NO_FILE
Value: 4; No file was uploaded.

UPLOAD_ERR_NO_TMP_DIR
Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 5.0.3.

UPLOAD_ERR_CANT_WRITE
Value: 7; Failed to write file to disk. Introduced in PHP 5.1.0.

UPLOAD_ERR_EXTENSION
Value: 8; File upload stopped by extension. Introduced in PHP 5.2.0.


Note: These became PHP constants in PHP 4.3.0.

[ryan]

I had a script in php which worked perfectly for uploading files (images).

Now having engarde, it wont work. Any suggestions ?

Have you tried your script with SELinux in Permissive mode? If it works in Permissive mode then enable, SELinux and send us Audit logs so we can see why it's being blocked.

-r

[Hans Kok]

In permissive mode it slill does not work. As before it tries to write a temp file in the 'tmp_up' (changed it in php.ini, because in standard temp folder 'tmp' is also does not work). Made /tmp_up folder with chmod 777.

Is the http deamon running in chroot jail ?

Below is audit log:

Feb 21 18:52:55 server02 kernel: audit(1172080375.342:223): enforcing=1 old_enforcing=0 auid=4294967295
Feb 21 18:52:55 server02 kernel: audit(1172080375.342:222): avc: granted { setenforce } for pid=11227 comm="setenforce" scontext=system_u:system_r:webtool_t tcontext=system_u:object_r:security_t tclass=security
Feb 21 18:52:46 server02 kernel: audit(1172080366.809:221): avc: denied { unlink } for pid=9060 comm="httpd" name="phpckEDuP" dev=hda2 ino=49180 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:root_t tclass=file
Feb 21 18:52:46 server02 kernel: audit(1172080366.809:220): avc: denied { remove_name } for pid=9060 comm="httpd" name="phpckEDuP" dev=hda2 ino=49180 scontext=system_u:system_r:httpd_t tcontext=root:object_r:root_t tclass=dir
Feb 21 18:52:46 server02 kernel: audit(1172080366.769:219): avc: denied { write } for pid=9060 comm="httpd" name="phpckEDuP" dev=hda2 ino=49180 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:root_t tclass=file
Feb 21 18:52:46 server02 kernel: audit(1172080366.769:218): avc: denied { create } for pid=9060 comm="httpd" name="phpckEDuP" scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:root_t tclass=file
Feb 21 18:52:46 server02 kernel: audit(1172080366.769:217): avc: denied { add_name } for pid=9060 comm="httpd" name="phpckEDuP" scontext=system_u:system_r:httpd_t tcontext=root:object_r:root_t tclass=dir
Feb 21 18:52:46 server02 kernel: audit(1172080366.769:216): avc: denied { write } for pid=9060 comm="httpd" name="tmp_up" dev=hda2 ino=49179 scontext=system_u:system_r:httpd_t tcontext=root:object_r:root_t tclass=dir
Feb 21 18:52:25 server02 kernel: audit(1172080345.610:215): enforcing=0 old_enforcing=1 auid=4294967295
Feb 21 18:52:25 server02 kernel: audit(1172080345.610:214): avc: granted { setenforce } for pid=11204 comm="setenforce" scontext=system_u:system_r:webtool_t tcontext=system_u:object_r:security_t tclass=security

[ryan]

In permissive mode it slill does not work. As before it tries to write a temp file in the 'tmp_up' (changed it in php.ini, because in standard temp folder 'tmp' is also does not work). Made /tmp_up folder with chmod 777.

In the example below you had SELinux in Enforcing mode, put it into Permissive mode, did your test, then re-enabled Enforcing mode. Please do your test with SELinux in Permissive mode (IOW, the exact oppositite of what you just did).

Also, that php.ini change was bad. Leave it set to /tmp if you want any hope of this ever working with SELinux enabled.

-r

[Hans Kok]

PHP.ini set to default (upload_tmp_dir = ), so it should take systems default tmp dir.

In permissive mode still nothing happens:

Feb 21 19:38:08 server02 kernel: audit(1172083088.176:288): avc: denied { unlink } for pid=12006 comm="httpd" name="2.jpg" dev=hda3 ino=240032 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_content_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.794:287): avc: denied { rename } for pid=12084 comm="httpd" name="1.jpg" dev=hda3 ino=240032 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_content_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.794:286): avc: denied { unlink } for pid=12084 comm="httpd" name="phpWcEiCh" dev=hda2 ino=133925 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.794:285): avc: denied { remove_name } for pid=12084 comm="httpd" name="phpWcEiCh" dev=hda2 ino=133925 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 21 19:37:53 server02 kernel: audit(1172083073.794:284): avc: denied { write } for pid=12084 comm="httpd" name="1.jpg" dev=hda3 ino=240032 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_content_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.794:283): avc: denied { create } for pid=12084 comm="httpd" name="1.jpg" scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_content_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.790:282): avc: denied { add_name } for pid=12084 comm="httpd" name="1.jpg" scontext=system_u:system_r:httpd_t tcontext=user_u:object_r:httpd_content_t tclass=dir
Feb 21 19:37:53 server02 kernel: audit(1172083073.790:281): avc: denied { read } for pid=12084 comm="httpd" name="phpWcEiCh" dev=hda2 ino=133925 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.790:280): avc: denied { getattr } for pid=12084 comm="httpd" name="tmp" dev=hda2 ino=130817 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 21 19:37:53 server02 kernel: audit(1172083073.790:279): avc: denied { getattr } for pid=12084 comm="httpd" name="phpWcEiCh" dev=hda2 ino=133925 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.786:278): avc: denied { unlink } for pid=12084 comm="httpd" name="1.jpg" dev=hda3 ino=240032 scontext=system_u:system_r:httpd_t tcontext=user_u:object_r:httpd_content_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.786:277): avc: denied { remove_name } for pid=12084 comm="httpd" name="1.jpg" dev=hda3 ino=240032 scontext=system_u:system_r:httpd_t tcontext=user_u:object_r:httpd_content_t tclass=dir
Feb 21 19:37:53 server02 kernel: audit(1172083073.786:276): avc: denied { write } for pid=12084 comm="httpd" name="temp" dev=hda3 ino=240525 scontext=system_u:system_r:httpd_t tcontext=user_u:object_r:httpd_content_t tclass=dir
Feb 21 19:37:53 server02 kernel: audit(1172083073.754:275): avc: denied { write } for pid=12084 comm="httpd" name="phpWcEiCh" dev=hda2 ino=133925 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.734:274): avc: denied { create } for pid=12084 comm="httpd" name="phpWcEiCh" scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 21 19:37:53 server02 kernel: audit(1172083073.734:273): avc: denied { add_name } for pid=12084 comm="httpd" name="phpWcEiCh" scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 21 19:37:53 server02 kernel: audit(1172083073.734:272): avc: denied { write } for pid=12084 comm="httpd" name="tmp" dev=hda2 ino=130817 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 21 19:37:53 server02 kernel: audit(1172083073.722:271): avc: denied { search } for pid=12084 comm="httpd" name="tmp" dev=hda2 ino=130817 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 21 19:37:34 server02 kernel: audit(1172083054.632:270): enforcing=0 old_enforcing=1 auid=4294967295
Feb 21 19:37:34 server02 kernel: audit(1172083054.632:269): avc: granted { setenforce } for pid=12100 comm="setenforce" scontext=system_u:system_r:webtool_t tcontext=system_u:object_r:security_t tclass=security

[Hans Kok]

Tried also a rename in folder images (with chmod 777).

PHP logging:
[21-Feb-2007 19:33:43] PHP Warning: rename(product/images/temp/1.jpg,product/images/org/2.jpg) [<a href='function.rename'>function.rename</a>]: Permission denied in /home/httpd/XXXXXXXXXXXX/html/product/action.php on line 42

It can read, but not write......

Tried the audit monitor here's the logging:
Last Updated: 23:13:00
allow httpd_t httpd_content_t:dir { add_name remove_name write };
allow httpd_t httpd_content_t:file { create rename unlink write };
allow httpd_t tmp_t:dir { add_name getattr remove_name search write };
allow httpd_t tmp_t:file { create getattr read unlink write };

[Hans Kok]

Does anyone use engarde and has in his website an upload of files ?

Installed a new machine but i have the same result.

The user under which apache+php is running does not have write permission in the system temp folder (/tmp). How can i change this ? It is really bugging me.

[Hans Kok]

It looks more and more (from other forums on internet) the problem of the policy of selinux.

Does someone know if an older version of engarde support uploading in a php site ?

[Hans Kok]

I succeeded to upload a file (image).... :lol:

Had to insert in httpd.conf:
<Directory "/tmp">
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

And set engarde in Permissive mode ! Logging:
Feb 26 19:18:49 server01 kernel: audit(1172513929.539:153): avc: denied { unlink } for pid=2177 comm="httpd" name="1.jpg" dev=hda3 ino=249411 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_content_t tclass=file
Feb 26 19:18:49 server01 kernel: audit(1172513929.539:152): avc: denied { rename } for pid=2177 comm="httpd" name="1.jpg" dev=hda3 ino=249382 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_content_t tclass=file
Feb 26 19:18:49 server01 kernel: audit(1172513929.539:151): avc: denied { remove_name } for pid=2177 comm="httpd" name="1.jpg" dev=hda3 ino=249382 scontext=system_u:system_r:httpd_t tcontext=user_u:object_r:httpd_content_t tclass=dir
Feb 26 19:18:49 server01 kernel: audit(1172513929.539:150): avc: denied { write } for pid=2177 comm="httpd" name="1.jpg" dev=hda3 ino=249382 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_content_t tclass=file
Feb 26 19:18:49 server01 kernel: audit(1172513929.487:149): avc: denied { create } for pid=2177 comm="httpd" name="1.jpg" scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:httpd_content_t tclass=file
Feb 26 19:18:49 server01 kernel: audit(1172513929.487:148): avc: denied { add_name } for pid=2177 comm="httpd" name="1.jpg" scontext=system_u:system_r:httpd_t tcontext=user_u:object_r:httpd_content_t tclass=dir
Feb 26 19:18:49 server01 kernel: audit(1172513929.487:147): avc: denied { write } for pid=2177 comm="httpd" name="temp" dev=hda3 ino=249795 scontext=system_u:system_r:httpd_t tcontext=user_u:object_r:httpd_content_t tclass=dir
Feb 26 19:18:49 server01 kernel: audit(1172513929.487:146): avc: denied { read } for pid=2177 comm="httpd" name="phpayI8rq" dev=hda2 ino=124711 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 26 19:18:49 server01 kernel: audit(1172513929.483:145): avc: denied { getattr } for pid=2177 comm="httpd" name="tmp" dev=hda2 ino=124674 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 26 19:18:49 server01 kernel: audit(1172513929.447:144): avc: denied { write } for pid=2177 comm="httpd" name="phpayI8rq" dev=hda2 ino=124711 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 26 19:18:46 server01 kernel: audit(1172513926.126:143): avc: denied { unlink } for pid=2177 comm="httpd" name="phpXkRSRe" dev=hda2 ino=124711 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 26 19:18:46 server01 kernel: audit(1172513926.126:142): avc: denied { remove_name } for pid=2177 comm="httpd" name="phpXkRSRe" dev=hda2 ino=124711 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 26 19:18:46 server01 kernel: audit(1172513926.122:141): avc: denied { getattr } for pid=2177 comm="httpd" name="phpXkRSRe" dev=hda2 ino=124711 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 26 19:18:46 server01 kernel: audit(1172513926.122:140): avc: denied { create } for pid=2177 comm="httpd" name="phpXkRSRe" scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=file
Feb 26 19:18:46 server01 kernel: audit(1172513926.122:139): avc: denied { add_name } for pid=2177 comm="httpd" name="phpXkRSRe" scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 26 19:18:46 server01 kernel: audit(1172513926.122:138): avc: denied { write } for pid=2177 comm="httpd" name="tmp" dev=hda2 ino=124674 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 26 19:18:46 server01 kernel: audit(1172513926.122:137): avc: denied { search } for pid=2177 comm="httpd" name="tmp" dev=hda2 ino=124674 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:tmp_t tclass=dir
Feb 26 19:18:42 server01 kernel: audit(1172513922.630:136): enforcing=0 old_enforcing=1 auid=4294967295

When i set engarde in Enforcing mode, it will not upload files.
What is the next step to do ?
I would like to have engarde in Enforcing mode an upload files.....

[ryan]

First of all this is just incorrect:

The user under which apache+php is running does not have write permission in the system temp folder (/tmp). How can i change this ? It is really bugging me.

/tmp is writable by everybody, but SELinux may not permit Apache to write to it. If for some reason Apache can't write to /tmp in Permissive mode then you changed the permissions on /tmp to something totally wrong.

When i set engarde in Enforcing mode, it will not upload files. What is the next step to do ? I would like to have engarde in Enforcing mode an upload files.....

The correct thing to do here is to open a bug with a complete problem description and code samples that our engineers can use to reproduce, and fix, the problem.

-r

[Hans Kok]

Thanks for your reaction.

Will make a bug report.