0

I have this issue with PHP and SELinux on Red Hat Enterprise Linux (RHEL) for AWS. When I use _FILES array to get the file (jpg) from POST, it makes the SELinux type to be user_tmp_t instead of httpd_sys_content_1 which is necessary when move_uploaded_file moves the file to the upload directory which is in the standard var/www/html/ directory. Because move_uploaded_file never changes the SELinux type on the file, the jpg file becomes forbidden to use. How do I solve this problem?

move_uploaded_file($_FILES['file']['tmp_name'], $uploaddir) is what I am using.

I've tried changing the php.ini sys_upload_dir and upload_tmp_dir but the problem still exists. I've also tried creating a new folder to store tmp files and using sudo semanage fcontext -a -t httpd_sys_content_t "/phptmp(/.*)?" but still does not work.

semanage fcontext -a -t httpd_sys_content_t '/var/www/html(/.*)?' and restorecon -R -v /var/www/html/ does solve the problem for the existing files, but it doesn't work in the future though because PHP is causing it to be user_tmp_t every time.

I would like to use SELinux but this is very frustrating since I don't know a way to change SELinux properties on PHP really.

I know this is a SELinux problem because if I do setenforce 0 it "solves" the problem.

John61590
  • 1,106
  • 1
  • 13
  • 29
  • It seems like you arent able to write there. Try this addionaly for your target folder `chcon -Rht httpd_sys_rw_content_t /var/www/html/` – A. Blub Jul 05 '17 at 10:22
  • @A. Blub No, the file gets to the destination, but I just can't access it since the type is not of httpd. I get "forbidden" error. It is always user_tmp_t because it came from a tmp folder I'm assuming. – John61590 Jul 05 '17 at 10:26
  • Pls try it at first. Your folder is not marked for writing, thats only marked for HTTP content – A. Blub Jul 05 '17 at 10:41
  • @A.Blub No, like I said, `unconfined_u:object_r:user_tmp_t:s0 312d40fcc7d708cd489e83.jpg` still when I run my php script – John61590 Jul 05 '17 at 10:50

1 Answers1

0

I ended up "solving it" by changing both php.ini directories to another tmp directory I made on root and using semanage fcontext -a -t httpd_sys_content_t '/phptmp(/.*)?' as well as restorecon -R -v /phptmp/ and making sure to reboot instance after restorecon or else it will not work. Still unsure about how to do it on the PHP programming side but I doubt you could do much with it.

John61590
  • 1,106
  • 1
  • 13
  • 29