← Back to team overview

ius-coredev team mailing list archive

  1. ius-coredev team
  2. Mailing list archive
  3. Message #01467

[Bug 987816] Re: php53u-eaccelerator selinux avcs on rhel5.x86_64

  Thread PreviousDate PreviousThread Next 
It appears EPEL's package sets the attrs in the %file portion of the
SPEC:

  %files
  %defattr(-,root,root,-)
  %doc AUTHORS ChangeLog COPYING NEWS README*
  %doc eaccelerator.ini *.php
  %config(noreplace) %{_sysconfdir}/php.d/eaccelerator.ini
  %{php_extdir}/eaccelerator.so
  %attr(0750,apache,apache) %{_var}/cache/php-eaccelerator/

It seems the %file portion of our SPEC has this removed:


  %files
  %defattr(-,root,root,-)
  %doc AUTHORS ChangeLog COPYING NEWS README*
  %doc eaccelerator.ini *.php
  %{_sysconfdir}/cron.daily/php-eaccelerator
  %config(noreplace) %{_sysconfdir}/php.d/eaccelerator.ini
  %{php_extdir}/eaccelerator.so
  # We need this hack, as otherwise rpm resets ownership upon package upgrade
  #attr(0750,apache,apache) %%{_var}/cache/php-eaccelerator/
  #attr(0750,root,root) %%verify(not user group) %%{_var}/cache/php-eaccelerator/
  %ghost %{_var}/cache/php-eaccelerator/

-- 
You received this bug notification because you are a member of IUS Core
Development, which is subscribed to IUS Community Project.
https://bugs.launchpad.net/bugs/987816

Title:
  php53u-eaccelerator selinux avcs on rhel5.x86_64

Status in IUS Community Project:
  New

Bug description:
  after doing a bunch of upgrades to php53u-* packages on my
  rhel5.x86_64 systems I'm getting selinux avcs like so:

   1 Time(s): type=1400 audit(1335205832.420:380): avc:  denied  { write
  } for  pid=15889 comm="httpd" name="4" dev=sda3 ino=30310859
  scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:var_t:s0
  tclass=dir

  I've narrowed these down to the eaccelerator cache directory, and in
  comparing the php53u-eaccelerator rpm to the EPEL php-eaccelerator rpm
  I noted the following differences:

  1) php53u-eaccelerator rpm cache directory (/var/cache/php-
  eaccelerator) is mode 0755 and owned by root:root, the php-
  eaccelerator package from EPEL has that directory mode 0750 and owned
  by apache:apache.

  2) the EPEL php-eaccelerator package has an selinux context of
  user_u:object_r:httpd_cache_t for /var/cache/php-eaccelerator whereas
  php53u-eaccelerator has an selinux context of user_u:object_r:var_t
  (which is what the avcs above are about)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ius/+bug/987816/+subscriptions

References

  Thread PreviousDate PreviousThread Next