Download file without disabling selinux

Question

I am developing a site in PHP on Linux Server where I need to download a file from Windows Server to Linux Machine. I can do it with Some Changes in SeLinux or setting some properties on it, i.e.:

% setsebool -P httpd_disable_trans=1

But our client refuses to compromise any security for this functionality. So we need to find any other workarounds. What else can we do?

How do you intend to download the file? What method will you use? — Matthew Ife, Mar 29 '13 at 14:19
Right. You need to know (and tell us) how you are fetching this file. — Michael Hampton, Mar 29 '13 at 16:38
Refuses to compromise any security and runs a PHP application might be mutually exclusive. — gm3dmo, Mar 30 '13 at 09:03
i used code below if (ftp_get($conn_id, $local_file, $remote_file, FTP_BINARY)) { echo "successfully written to $local_file\n"; } else { echo "Not Downloaded"; } — Supriya, Apr 01 '13 at 04:18

score 0 · Answer 1 · answered Mar 29 '13 at 14:36

Maybe they will accept a policy extension for SELinux to allow the web server to do certain kinds of operations against a particular file or directory. To create a custom policy there is a tool called audit2allow which can help you generate the policy you need. There is an example of creating a custom SELinux policy module at:

http://wiki.centos.org/HowTos/SELinux#head-d8db97e538d95b1bc5e54fc5a9ddb0c953e9a969

If you do this make sure the process is well documented because it's the kind of thing that can get broken on a new deployment or on an update and you want to make sure it's not missed during those kinds of activities.

Download file without disabling selinux

1 Answers1