Bug 168772
| Summary: | apache failed to get default context | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | p thompson <pt> |
| Component: | selinux-policy-targeted | Assignee: | James Antill <james.antill> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | CC: | dwalsh, jorton |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | FC5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-09-22 02:14:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
httpd.conf contains
ScriptAlias /scripts/ "/var/www/internet/scripts/"
Alias /internet "/var/www/internet/"
<Directory /var/www/internet/>
DirectoryIndex index.shtml
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "internet"
AuthUserFile /etc/httpd/conf/passwd
require user userx
require user usery
</Directory>
The error is coming from sudo; perhaps this is deliberate due to the SELinux policy, I'm not sure. Please, try call "sudo /var/www/internet/scripts/nointernet 0" manually under same user as your apache and without SELinux (kernel boot option selinux=0). It really seems like SELinux problem -- sudo always writes something to logs. Are you seeing any avc messages? Dan You might also want to run this script as httpd_unconfined_script_t 1) script works after booting with selinux=0
2) Not sure how to run as apache user:
"su - apache
This account is currently not available."
3) avc messages = contents of /var/log/audit/audit.log?
failure of the script does not make anything new appear there
4) re:httpd_unconfined_script_t I must be doing something wrong
chcon root:object_r:httpd_unconfined_script_t *
chcon: failed to change context of internet.pl to
root:object_r:httpd_unconfined_script_t: Permission denied
chcon: failed to change context of nointernet to
root:object_r:httpd_unconfined_script_t: Permission denied
chcon: failed to change context of nointernet.pl to
root:object_r:httpd_unconfined_script_t: Permission denied
chcon: failed to change context of oninternet.pl to
root:object_r:httpd_unconfined_script_t: Permission denied
speaking of avc messages:
type=AVC msg=audit(1127221942.099:308): avc: denied { relabelto } for
pid=4030 comm="chcon" name="oninternet.pl" dev=sdg2 ino=179597
scontext=root:system_r:unconfined_t
tcontext=root:object_r:httpd_unconfined_script_t tclass=file
re 2): perl -e '$uid = `id -u apache`; $gid = `id -g apache`;' -e '$( = $) = "$gid $gid"; $> = $< = $uid; exec "sudo /var/www/internet/scripts/nointernet 1";' script works as apache httpd_unconfined_script_t should be httpd_unconfined_script_exec_t Sorry about that. OK, changed the files accordingly, now I get
type=CRED_ACQ msg=audit(1127231295.419:615): user pid=7296 uid=0 auid=4294967295
msg='PAM setcred: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=?
result=Success)'
type=USER_START msg=audit(1127231295.420:616): user pid=7296 uid=0
auid=4294967295 msg='PAM session open: user=root exe="/usr/bin/sudo"
(hostname=?, addr=?, terminal=? result=Success)'
type=USER_END msg=audit(1127231295.421:617): user pid=7296 uid=0 auid=4294967295
msg='PAM session close: user=root exe="/usr/bin/sudo" (hostname=?, addr=?,
terminal=? result=Success)'
type=AVC msg=audit(1127231295.423:618): avc: denied { transition } for
pid=7296 comm="sudo" name="sesh" dev=md0 ino=374213
scontext=system_u:system_r:httpd_unconfined_script_t
tcontext=root:system_r:unconfined_t tclass=process
type=SYSCALL msg=audit(1127231295.423:618): arch=40000003 syscall=11 success=no
exit=-13 a0=883a850 a1=88392e0 a2=88390a8 a3=69b840 items=1 pid=7296
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sudo" exe="/usr/bin/sudo"
type=AVC_PATH msg=audit(1127231295.423:618): path="/usr/sbin/sesh"
type=PATH msg=audit(1127231295.423:618): item=0 name="/usr/sbin/sesh" flags=101
inode=374213 dev=09:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
adding
allow httpd_unconfined_script_t unconfined_t:process transition;
into
domains/misc/local.te;make reload
does not fix anything
How about adding typeattribute httpd_unconfined_script_t privuser; I'm guessing this goes in policy.conf, I added it about here: # unconfined domain for apache scripts. Only to be used as a last resort # type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable; type httpd_unconfined_script_t, domain, nscd_client_domain; role system_r types httpd_unconfined_script_t; #line 329 #line 329 typeattribute httpd_unconfined_script_t unrestricted; typeattribute httpd_unconfined_script_t privuser; Now everything works. What does that mean? Was there a bug? What is the implication of "only to be used as a last resort"...? Yes this is a bug in policy. I will be adding it in the next update. Did you remove the other line? Can you and see if it still works. Basically running a script asa httpd_unconfined_script_exec_t means you want all of apache protected except for this script. This is better than turning off all of SELinux apache protection or selinux altogether. But now if a hacker breaks into you apache web site. He will be able to run this script with the same privs as if he broke in without selinux. Dan Thanks for the help, I will watch for the update. I would then remove the items from the policy.conf? Fixed in selinux-policy-targeted-1.27.1-2.3 I installed this from updates-testing and it works. Is my fix running the script with httpd_unconfined_script_t or is there a way to lock it down further that this update allows? Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists in a current Fedora release (such as Fedora Core 5 or later), please reopen and set the version appropriately. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Fedora/1.0.6-1.2.fc4 Firefox/1.0.6 Description of problem: Apache runs a bash script with sudo #!/usr/bin/perl -w use CGI::Carp qw(fatalsToBrowser); my @a=`sudo /var/www/internet/scripts/nointernet 0`; @a=<DATA>; print("@a"); exit; __END__ <HTML> <META HTTP-EQUIV="EXPIRES" CONTENT="Sat, 01 Jan 2000 00:00:00 GMT"> <META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://192.168.0.1/internet/"> </HTML> SE Linux and sudoers have been modified to allow this. User clicks on form which executes cgi script which fails with no error in /var/log/secure: Sep 20 04:20:20 monotheletisia sudo: apache : TTY=unknown ; PWD=/var/www/internet/scripts ; USER=root ; COMMAND=/var/www/internet/scripts/nointernet 0 No errors appear in /var/log/audit/audit.log (completely unrelated cron audit entry below, no apache entries) type=USER_END msg=audit(1127208601.749:7361): user pid=6730 uid=0 auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)' Below appears in /etc/httpd/logs/error_log [Tue Sep 20 04:26:08 2005] [error] [client 192.168.0.1] failed to get default context, referer: http://192.168.0.1/internet/ This is the contents of sudoers apache ALL = NOPASSWD: /var/www/internet/scripts/nointernet This is the context of the /var/www/internet/scripts directory -rwxrwxr-x apache apache root:object_r:httpd_sys_script_exec_t internet.pl -rwxr-xr-x apache apache root:object_r:httpd_sys_script_exec_t nointernet -rwxr-xr-x apache apache root:object_r:httpd_sys_script_exec_t nointernet.pl -rwxr-xr-x apache apache root:object_r:httpd_sys_script_exec_t oninternet.pl Previously worked under FC3. httpd-2.0.54-10.2 sudo-1.6.8p8-2.2 pam-0.79-9.52.2 Version-Release number of selected component (if applicable): httpd-2.0.54-10.2 How reproducible: Always Steps to Reproduce: 1. apache executes script 2. 3. Expected Results: sudo allows apache user to execute /var/www/internet/scripts/nointernet as root which consists of #!/bin/bash echo $1 > /proc/sys/net/ipv4/ip_forward Additional info: Is this an apache error or a selinux error? No errors in audit.log = confusing