Bug 168772
Summary: | apache failed to get default context | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | p thompson <pt> |
Component: | selinux-policy-targeted | Assignee: | James Antill <james.antill> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | dwalsh, jorton |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | FC5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-09-22 02:14:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
p thompson
2005-09-20 09:36:18 UTC
httpd.conf contains ScriptAlias /scripts/ "/var/www/internet/scripts/" Alias /internet "/var/www/internet/" <Directory /var/www/internet/> DirectoryIndex index.shtml Options Indexes FollowSymLinks Includes ExecCGI AllowOverride None Order allow,deny Allow from all AuthType Basic AuthName "internet" AuthUserFile /etc/httpd/conf/passwd require user userx require user usery </Directory> The error is coming from sudo; perhaps this is deliberate due to the SELinux policy, I'm not sure. Please, try call "sudo /var/www/internet/scripts/nointernet 0" manually under same user as your apache and without SELinux (kernel boot option selinux=0). It really seems like SELinux problem -- sudo always writes something to logs. Are you seeing any avc messages? Dan You might also want to run this script as httpd_unconfined_script_t 1) script works after booting with selinux=0 2) Not sure how to run as apache user: "su - apache This account is currently not available." 3) avc messages = contents of /var/log/audit/audit.log? failure of the script does not make anything new appear there 4) re:httpd_unconfined_script_t I must be doing something wrong chcon root:object_r:httpd_unconfined_script_t * chcon: failed to change context of internet.pl to root:object_r:httpd_unconfined_script_t: Permission denied chcon: failed to change context of nointernet to root:object_r:httpd_unconfined_script_t: Permission denied chcon: failed to change context of nointernet.pl to root:object_r:httpd_unconfined_script_t: Permission denied chcon: failed to change context of oninternet.pl to root:object_r:httpd_unconfined_script_t: Permission denied speaking of avc messages: type=AVC msg=audit(1127221942.099:308): avc: denied { relabelto } for pid=4030 comm="chcon" name="oninternet.pl" dev=sdg2 ino=179597 scontext=root:system_r:unconfined_t tcontext=root:object_r:httpd_unconfined_script_t tclass=file re 2): perl -e '$uid = `id -u apache`; $gid = `id -g apache`;' -e '$( = $) = "$gid $gid"; $> = $< = $uid; exec "sudo /var/www/internet/scripts/nointernet 1";' script works as apache httpd_unconfined_script_t should be httpd_unconfined_script_exec_t Sorry about that. OK, changed the files accordingly, now I get type=CRED_ACQ msg=audit(1127231295.419:615): user pid=7296 uid=0 auid=4294967295 msg='PAM setcred: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=? result=Success)' type=USER_START msg=audit(1127231295.420:616): user pid=7296 uid=0 auid=4294967295 msg='PAM session open: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=? result=Success)' type=USER_END msg=audit(1127231295.421:617): user pid=7296 uid=0 auid=4294967295 msg='PAM session close: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1127231295.423:618): avc: denied { transition } for pid=7296 comm="sudo" name="sesh" dev=md0 ino=374213 scontext=system_u:system_r:httpd_unconfined_script_t tcontext=root:system_r:unconfined_t tclass=process type=SYSCALL msg=audit(1127231295.423:618): arch=40000003 syscall=11 success=no exit=-13 a0=883a850 a1=88392e0 a2=88390a8 a3=69b840 items=1 pid=7296 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="sudo" exe="/usr/bin/sudo" type=AVC_PATH msg=audit(1127231295.423:618): path="/usr/sbin/sesh" type=PATH msg=audit(1127231295.423:618): item=0 name="/usr/sbin/sesh" flags=101 inode=374213 dev=09:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 adding allow httpd_unconfined_script_t unconfined_t:process transition; into domains/misc/local.te;make reload does not fix anything How about adding typeattribute httpd_unconfined_script_t privuser; I'm guessing this goes in policy.conf, I added it about here: # unconfined domain for apache scripts. Only to be used as a last resort # type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable; type httpd_unconfined_script_t, domain, nscd_client_domain; role system_r types httpd_unconfined_script_t; #line 329 #line 329 typeattribute httpd_unconfined_script_t unrestricted; typeattribute httpd_unconfined_script_t privuser; Now everything works. What does that mean? Was there a bug? What is the implication of "only to be used as a last resort"...? Yes this is a bug in policy. I will be adding it in the next update. Did you remove the other line? Can you and see if it still works. Basically running a script asa httpd_unconfined_script_exec_t means you want all of apache protected except for this script. This is better than turning off all of SELinux apache protection or selinux altogether. But now if a hacker breaks into you apache web site. He will be able to run this script with the same privs as if he broke in without selinux. Dan Thanks for the help, I will watch for the update. I would then remove the items from the policy.conf? Fixed in selinux-policy-targeted-1.27.1-2.3 I installed this from updates-testing and it works. Is my fix running the script with httpd_unconfined_script_t or is there a way to lock it down further that this update allows? Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists in a current Fedora release (such as Fedora Core 5 or later), please reopen and set the version appropriately. |