Thanks for your help Dominick, a few comments below...
On Mon, Oct 3, 2011 at 12:39 PM, Dominick Grift <dominick.grift(a)gmail.com>wrote:
On Mon, 2011-10-03 at 12:29 -0400, Scott Gifford wrote:
> PHP uploads files into a temporary directory, where they are given the
> label "httpd_tmp_t". When a PHP script processes them, it
> calls move_uploaded_file to move the newly uploaded file into its
> final location. This function does some validity checks, then does a
> rename(2) from the temporary location to the location passwd to
> move_uploaded_file.
Your web app would need to copy the file instead.
Certainly that is possible. It is not the normal idiom for PHP uploaded
files though, and bypasses the checks that the system libraries provide when
using move_uploaded_file.
Or why not make your app create the file in the final destination in the
first place. then rename it there.
The PHP system libraries handle the file upload itself, and PHP code doesn't
run until the file is uploaded. So there isn't really a practical way to do
this without jumping pretty far outside of PHP norms.
[ ... ]
> I am wondering if there is some good way to automatically relabel this
> file when it is renamed?
[ ... ]
That is not practical because whatever moves the file might not be
allowed to relabelto the target location type.
Right, but then I would simply expect a denial, just as I would if I tried
to do some other operation not allowed by SELinux, and would modify my
policy to allow that. I think the issues here aren't fundamentally
different than with copying the file, except of course the needed permission
would be different.
As for Dan's suggestion to use an upload directory with the correct label:
The upload is handled by the PHP libraries and so doesn't know what context
the file should end up with at the time it is being created; it will really
depend on where it is copied to.
Maybe one solution would be to first move the file to a temporary name
(giving the checks that PHP's move_uploaded_file provides), then copy it to
its final name (which will relabel). Could be a fair bit of extra work for
the OS if the file is large, but for this application it might be workable.
I'll also take a look at what would be required to patch PHP to get the
behavior I was expecting.
Thanks again for your suggestions!
-----Scott.