Bug 1017588

Summary: AVC denial httpd_suexec_t cannot read write httpd_tmp_t
Product: Red Hat Enterprise Linux 5 Reporter: Karel Srot <ksrot>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: medium    
Version: 5.9CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-24 13:45:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Srot 2013-10-10 08:27:26 UTC 
Description of problem:

httpd is configured to execute cgi script for 404 error (accessing page that does not exist)

It works but following AVC  appears:

type=AVC msg=audit(1381407420.316:209): avc:  denied  { read write } for  pid=3842 comm="suexec" path=2F746D702F2E4E5350522D41464D2D333739392D3262303233383662613437302E30202864656C6574656429 dev=dm-0 ino=4952181 scontext=root:system_r:httpd_suexec_t:s0 tcontext=root:object_r:httpd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1381407420.316:209): arch=c000003e syscall=59 success=yes exit=0 a0=2b02273371a9 a1=2b02382e8818 a2=2b02382e7f68 a3=0 items=2 ppid=3802 pid=3842 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="suexec" exe="/usr/sbin/suexec" subj=root:system_r:httpd_suexec_t:s0 key=(null)
type=EXECVE msg=audit(1381407420.316:209): argc=4 a0="/usr/sbin/suexec" a1="~501" a2="501" a3="printenv.cgi"
type=CWD msg=audit(1381407420.316:209):  cwd="/home/httpd001/public_html"
type=PATH msg=audit(1381407420.316:209): item=0 name="/usr/sbin/suexec" inode=4079386 dev=fc:00 mode=0104510 ouid=0 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_suexec_exec_t:s0
type=PATH msg=audit(1381407420.316:209): item=1 name=(null) inode=16286015 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0


# sesearch -A -C -c httpd_suexec_t -t httpd_tmp_t -c file -p write
Found 10 av rules:
   allow httpd_sys_script_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow rpm_t httpd_tmp_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename }; 
   allow rpm_script_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow httpd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
DT allow smbd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ samba_export_all_rw ]
DT allow ftpd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ allow_ftpd_full_access ]
DT allow mount_t httpd_tmp_t : file { ioctl read write getattr lock append mounton }; [ allow_mount_anyfile ]
ET allow nfsd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ nfs_export_all_rw ]
DT allow nmbd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ samba_export_all_rw ]
ET allow kernel_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ nfs_export_all_rw ]


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-338.el5
Comment 2 Milos Malik 2013-10-11 13:53:39 UTC 
----
type=SYSCALL msg=audit(10/11/2013 15:51:59.330:362) : arch=x86_64 syscall=execve success=yes exit=0 a0=2b261a1a11a9 a1=2b2635ee3138 a2=2b2635ee28d8 a3=0 items=0 ppid=22493 pid=22525 auid=root uid=apache gid=apache euid=root suid=root fsuid=root egid=apache sgid=apache fsgid=apache tty=(none) ses=27 comm=suexec exe=/usr/sbin/suexec subj=root:system_r:httpd_suexec_t:s0 key=(null) 
type=AVC msg=audit(10/11/2013 15:51:59.330:362) : avc:  denied  { read write } for  pid=22525 comm=suexec path=/tmp/.NSPR-AFM-22486-2b262edcb930.0 (deleted) dev=vda3 ino=1412481 scontext=root:system_r:httpd_suexec_t:s0 tcontext=root:object_r:httpd_tmp_t:s0 tclass=file 
----
Comment 3 Miroslav Grepl 2013-10-14 12:49:06 UTC 
So it works if you don't audit these AVC msg, right?
Comment 4 Karel Srot 2013-10-15 07:31:57 UTC 
For some reason I cannot reproduce this bug anymore.. Maybe it will appear in future runs. 
Anyway, the httpd seemed to be working properly, even though the AVC appeared.
Let's keep this BZ opened and if there won't be any update till 5.11 we will close it.
Comment 5 Miroslav Grepl 2013-12-09 14:27:00 UTC 
(In reply to Karel Srot from comment #4)
> For some reason I cannot reproduce this bug anymore.. Maybe it will appear
> in future runs. 
> Anyway, the httpd seemed to be working properly, even though the AVC
> appeared.
> Let's keep this BZ opened and if there won't be any update till 5.11 we will
> close it.

I agree.
Comment 6 RHEL Program Management 2014-01-22 16:24:32 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.