[BUG?] Wrong selinux contect {WEBSPACEROOT}/tmp/

[LinqLOL]

Hi,

it seems {WEBSPACEROOT}/tmp/ has the wrong type context for SELinux. On site creation it has unconfined_ubject_r:user_home_t which makes it impossible for php (fcgi) to write session info to. I changed the type context to tmp_t and now it works. But this is a manual job :-(

Greets.

 

[IgorG]

Could you please be more specific and describe this problem with more details? How and where it can be reproduced? Step-by-step instruction would be useful.

 

[LinqLOL]

Sure!

Test Code

<?php
session_start();
$_SESSION['test'] = "TEST";
session_write_close();
?>.

PHP.INI

session.save_path = "/var/www/vhosts/xxxxxx.nl/tmp/"

Symptoms in error_log of site:

[Mon Oct 08 08:58:10 2012] [warn] [client X.X.X.X] mod_fcgid: stderr: PHP Warning: session_start(): open(/var/www/vhosts/tc-webshop.nl/tmp//sess_vl738sb6hp0v43nr61aug07ma6, O_RDWR) failed: Permission denied (13) in /var/www/vhosts/xxxxxxx.nl/httpdocs/wp-content/plugins/woocommerce/woocommerce.php on line 138
[Mon Oct 08 08:58:10 2012] [warn] [client X.X.X.X] mod_fcgid: stderr: PHP Warning: Unknown: open(/var/www/vhosts/xxxxxx.nl/tmp//sess_vl738sb6hp0v43nr61aug07ma6, O_RDWR) failed: Permission denied (13) in Unknown on line 0

Selinux audit

type=AVC msg=audit(1349685910.014:8256): avc: denied { write } for pid=28491 comm="php-cgi" name="tmp" dev=sda3 ino=9832561 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_ubject_r:user_home_t:s0 tclass=dir

 

[LinqLOL]

Temp fix

If people having the same problems, i made a small work-around script till Parallels fixes this.
Add the following script to a crontab and execute it once in 2 minutes or so.

#! /bin/bash
DIR="/var/www/vhosts"
cd $DIR
while read admin; do.
    if tmp="$DIR/$admin/tmp"; [[ -d "$tmp" ]]; then
         # tmp directorie does exist, change context
         echo "Fixing $DIR/$admin/tmp directory";
         chcon -t tmp_t $DIR/$admin/tmp
    fi
done < <( ls -d *.* )

 

[Andrew_Pa]

I confirm that I have the same problem.

Please fix it!

 

[LinqLOL]

Well seems very hard for Parallels to add it and in general with selinux issues we have to find out our own sollutions

Instead of using the script above the following commands will be better:

semanage fcontext -a -t tmp_t "/var/www/vhosts/([^/]*)/tmp"
semanage fcontext -a -t tmp_t "/var/www/vhosts/([^/]*)/var/tmp"

 

[Nikolay.]

LinqLOL, do you have addon domains or additional ftp users for a webspace with incorrect selinux contexts? Are there any system users that have home directory inside your webspace (grep /etc/passwd for that). Please post all of them with their home directories (if you're hesitant to provide such information - I'm interested only in the directory nestedness properties, so you can change directory names).

 

[LinqLOL]

@nikolay The servers I saw these problem only have 1 main domain and not addon domains. And no system users with home directory in a webroot.

 

[LinqLOL]

@parallels

I see this issue is fixed in 11.5.25 (http://download1.parallels.com/Ples...l-11.1-linux-updates-release-notes.html#11525). Will this be backported to the current version too?