Bug 178692
Summary: | httpd's suexec prevents running cgi scripts | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 4 | Reporter: | Peter Bieringer <pb> | ||||
Component: | selinux-policy-targeted | Assignee: | James Antill <james.antill> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | |||||
Severity: | low | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 4.0 | CC: | benl, dkovalsk, dwalsh, james.antill, jlaska, leopinheiro | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RHBA-2007-0171 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-08-01 15:52:43 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Peter Bieringer
2006-01-23 15:53:20 UTC
What is the current booleans set for httpd? getsebool -a | grep httpd You might have to label your script to httpd_unconfined_exec_t to get this to work. Turning some additional booleans on will eliminate a couple. Dan # getsebool -a | grep httpd httpd_builtin_scripting --> active httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> inactive httpd_ssi_exec --> active httpd_tty_comm --> inactive httpd_unified --> active Currently I have following content in local.te: ## sqwebmail allow httpd_sys_script_t var_t:sock_file write; allow httpd_sys_script_t unconfined_t:unix_stream_socket connectto; ## 20060123/PB: apache/suexec allow httpd_suexec_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow httpd_suexec_t httpd_sys_content_t:file execute_no_trans; allow httpd_suexec_t httpd_t:tcp_socket { read write }; allow httpd_suexec_t ld_so_cache_t:file execute; allow httpd_t httpd_suexec_t:process signal; ## 20060123/PB: apache/tree in user's home directory allow httpd_t user_home_t:dir search; ## 20060130/PB: D***/c***.pl allow httpd_suexec_t httpd_sys_content_t:dir read; allow httpd_suexec_t httpd_sys_content_t:file { lock write }; ## 20060130/PB: wwwa***/m***.cgi allow httpd_suexec_t httpd_sys_content_t:dir { add_name read write }; allow httpd_suexec_t httpd_sys_content_t:file { append create }; ## 20060130/PB: ipv6calcweb.cgi allow httpd_suexec_t bin_t:dir getattr; allow httpd_suexec_t self:fifo_file { ioctl read }; allow httpd_suexec_t self:process fork; allow httpd_suexec_t httpd_sys_content_t:file ioctl; allow httpd_suexec_t proc_t:file { getattr ioctl read }; ## 20060130/PB: ipv6calc allow httpd_suexec_t bin_t:dir getattr; allow httpd_suexec_t self:fifo_file { getattr ioctl read write }; allow httpd_suexec_t self:process fork; allow httpd_suexec_t httpd_sys_content_t:file ioctl; allow httpd_suexec_t proc_t:file { getattr ioctl read }; # 20060206/PB: c***.cgi allow httpd_t httpd_sys_content_t:file execute_no_trans; # 20060206/PB: ww_t***.pl allow httpd_suexec_t usr_t:lnk_file read; Any hints which of them I can eliminate by switching toggles or change security context of CGI? For access to user home directories you first have to enable the httpd_enable_homedirs boolean. To allow serving files from under the home directories you have to change the type of the subdirectory that has the webspace (along with all files and directories under it) to httpd_user_content_t. If you are doing bulk virtual hosting of web space (IE the user accounts are not used for anything other than web space) then it might be appropriate to use the type httpd_user_content_t for everything under /home. For the cgi-bin scripts to run correctly (IE not in httpd_suexec_t domain) you need to have the scripts themselves use a type that has the attribute httpdcontent. The relevant types are httpd_sys_content_t, httpd_sys_script_ro_t, httpd_sys_script_rw_t, and httpd_sys_script_ra_t. When a script that has one of those types is executed there will be an automatic domain transition to httpd_sys_script_t. If running cgi-bin scripts without any restrictions you can use the type httpd_unconfined_script_exec_t. Please try these things out and let me know if you still need to have any entries in local.te. Hmm, let's first focus on the cgi-scripts. I've checked security context of scripts, they are proper set: -rwxr-x--- wwwbieri wwwbieri system_u:object_r:httpd_sys_content_t footer.cgi -rwxr-x--- wwwbieri wwwbieri system_u:object_r:httpd_sys_content_t ipv6calcweb.cgi Now I disabled the shown rules above (block occurs twice): ## 20060130/PB: ipv6calc allow httpd_suexec_t bin_t:dir getattr; allow httpd_suexec_t self:fifo_file { getattr ioctl read write }; allow httpd_suexec_t self:process fork; allow httpd_suexec_t httpd_sys_content_t:file ioctl; allow httpd_suexec_t proc_t:file { getattr ioctl read }; Afterwards I got all the messages. I've changed now httpd_sys_content_t to httpd_sys_script_ro_t, same messages. Do you have another suggestion for the suexec related entries? My apache config looks like this: LoadModule suexec_module modules/mod_suexec.so Per virtual host: SuexecUserGroup cgiuser wwwuser Thanks for your fast response. I made a mistake in my previous message, the best type to use for the cgi-bin scripts is httpd_sys_script_exec_t. The other types should work if you have httpd_unified enabled (which you apparently had enabled). Did you disable httpd_unified since your previous addition to this bug report? Regardless of the httpd_unified boolean, changing the type to httpd_sys_script_exec_t will make it work. I still have problems caused by CGI scripts itself: E.g.: comm="script.cgi" name="logfile" dev=md3 ino=163248 scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:httpd_sys_content_t tclass=file Not allowed to write to a file with httpd_sys_contentt Or: denied { getattr } for pid=25496 comm="ipv6calc" name="[5121067]" dev=pipefs ino=5121067 scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=fifo_file ipv6calcweb.cgi calls binary ipv6calc and parse stdout. Looks like I have still to design own special rules. BTW: is this a feature or a bug that restorecon doesn't read /etc/selinux/targeted/contexts/files/file_context.local? And also that setfiles segfaults in case of e.g. "*.cgi" is specified in file_context.local? A SEGV of setfiles is a bug, please provide more information in a separate bug report. Is httpd_unified still enabled? Do you have script.cgi labeled as httpd_sys_script_exec_t? The domain httpd_suexec_t is not intended for the actual execution of cgi-bin scripts, this is why it has not been granted access to use pipes and perform many other operations that cgi-bin scripts may do. # getsebool -a |grep ^http httpd_builtin_scripting --> active httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> inactive httpd_ssi_exec --> active httpd_tty_comm --> inactive httpd_unified --> active # ls -Z /path/to/cgi-bin/ipv6calcweb.cgi -rwxr-x--- wwwuser wwwgroup system_u:object_r:httpd_sys_script_exec_t /path/to/cgi-bin/ipv6calcweb.cgi BTW: make it sense to restrict domain httpd_suexec_t to fewer things that CGI scripts may do? I use suexec feature here to change to a different user than the webserver primary user (apache). But then, script will for sure need the same SE Linux permissions like before (if executed by apache user). So what is the intention to restrict httpd_suexec_t more? Perhaps for the future, the CGI block can be copied and enabled by a toggle (httpd_suexec_cgi or something like that). There seems to be a problem that httpd_suexec_t is not transitioning to httpd_sys_script_t when it executes httpd_sys_script_exec_t? According to policy this should be happening. It is almost like the exec is not happening. Have you updated to the U3 policy? System is running: # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.126 # rpm -q selinux-policy-targeted-sources selinux-policy-targeted-sources-1.17.30-2.126 Next issue rising up. I'm using formmail.pl (http://www.scriptarchive.com/formmail.html) and this causes a lot of messages: Apr 27 13:56:32 host audit(1146138992.039:713): avc: denied { create } for pid=6737 comm="sendmail" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=unix_dgram_socket Apr 27 13:56:32 host audit(1146138992.040:714): avc: denied { connect } for pid=6737 comm="sendmail" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=unix_dgram_socket Apr 27 13:56:32 host audit(1146138992.060:715): avc: denied { search } for pid=6737 comm="sendmail" name="spool" dev=md1 ino=464964 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:var_spool_t tclass=dir Apr 27 13:56:32 host audit(1146138992.061:716): avc: denied { search } for pid=6737 comm="sendmail" name="/" dev=md8 ino=2 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 27 13:56:32 host audit(1146138992.061:717): avc: denied { setrlimit } for pid=6737 comm="sendmail" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=process Apr 27 13:56:32 host audit(1146138992.075:718): avc: denied { execute } for pid=6738 comm="sendmail" name="postdrop" dev=md1 ino=36745 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:sbin_t tclass=file Apr 27 13:56:32 host audit(1146138992.076:719): avc: denied { execute_no_trans } for pid=6738 comm="sendmail" name="postdrop" dev=md1 ino=36745 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:sbin_t tclass=file Apr 27 13:56:32 host audit(1146138992.076:720): avc: denied { read } for pid=6738 comm="sendmail" name="postdrop" dev=md1 ino=36745 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:sbin_t tclass=file Apr 27 13:56:32 host audit(1146138992.178:721): avc: denied { write } for pid=6738 comm="postdrop" name="maildrop" dev=md8 ino=64129 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 27 13:56:32 host audit(1146138992.178:722): avc: denied { add_name } for pid=6738 comm="postdrop" name="179542.6738" scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 27 13:56:32 host audit(1146138992.178:723): avc: denied { create } for pid=6738 comm="postdrop" name="179542.6738" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t tclass=file Apr 27 13:56:32 host audit(1146138992.217:724): avc: denied { getattr } for pid=6738 comm="postdrop" name="179542.6738" dev=md8 ino=64130 scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t tclass=file Apr 27 13:56:32 host audit(1146138992.217:725): avc: denied { remove_name } for pid=6738 comm="postdrop" name="179542.6738" dev=md8 ino=64130 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t tclass=dir Apr 27 13:56:32 host audit(1146138992.217:726): avc: denied { rename } for pid=6738 comm="postdrop" name="179542.6738" dev=md8 ino=64130 scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t tclass=file Apr 27 13:56:32 host audit(1146138992.218:727): avc: denied { write } for pid=6738 comm="postdrop" name="3550EFA82" dev=md8 ino=64130 scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t tclass=file Apr 27 13:56:32 host audit(1146138992.219:728): avc: denied { setattr } for pid=6738 comm="postdrop" name="3550EFA82" dev=md8 ino=64130 scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t tclass=file Apr 27 13:56:32 host audit(1146138992.222:729): avc: denied { getattr } for pid=6738 comm="postdrop" name="pickup" dev=md8 ino=144294 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t tclass=fifo_file Apr 27 13:56:32 host audit(1146138992.222:730): avc: denied { write } for pid=6738 comm="postdrop" name="pickup" dev=md8 ino=144294 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t tclass=fifo_file Resulting in following ruleset: allow httpd_suexec_t self:process setrlimit; allow httpd_suexec_t self:unix_dgram_socket { connect create }; allow httpd_suexec_t mail_spool_t:dir { add_name remove_name search write }; allow httpd_suexec_t mail_spool_t:fifo_file { getattr write }; allow httpd_suexec_t mail_spool_t:file { create getattr rename setattr write }; allow httpd_suexec_t sbin_t:file { execute execute_no_trans read }; allow httpd_suexec_t var_spool_t:dir search; A lot of rules... Ok, I've setup a test using RHEL-4.3 as the following: # cat /etc/httpd/conf.d/suexec-test.conf <VirtualHost *:80> SuexecUserGroup james james DocumentRoot /var/www/ ServerName laptop.and.org </VirtualHost> # ls -la -Z /var/www/cgi-bin/ drwxr-xr-x james james system_u:object_r:httpd_sys_script_exec_t . drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .. -rwxr-xr-x james james root:object_r:httpd_sys_script_exec_t test.cgi # cat /var/www/cgi-bin/test.cgi #! /bin/sh echo -e "Content-Type: text/plain\r" echo -e "\r" id="$(id)" cat <<EOL ------------------------------------------------------------ $id ------------------------------------------------------------ EOL # nc localhost 80 GET /cgi-bin/test.cgi HTTP/1.1 Host: x HTTP/1.1 200 OK Date: Thu, 27 Apr 2006 14:12:29 GMT Server: Apache/2.0.52 (Red Hat) Connection: close Transfer-Encoding: chunked Content-Type: text/plain; charset=UTF-8 d3 ------------------------------------------------------------ uid=500(james) gid=501(james) groups=501(james) context=root:system_r:httpd_sys_script_t ------------------------------------------------------------ 0 ...this is correct. I also tried using ipv6calc, and that worked too: # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.126 # rpm -q ipv6calc ipv6calc-0.51-1 # cp /usr/share/doc/ipv6calc-0.51/ipv6calcweb/ipv6calcweb.cgi /var/www/cgi-bin/ # chown james:james /var/www/cgi-bin//ipv6calcweb.cgi # chmod +x /var/www/cgi-bin/ipv6calcweb.cgi # ll -Z /var/www/cgi-bin/ipv6calcweb.cgi -rwxr-xr-x james james root:object_r:httpd_sys_script_exec_t /var/www/cgi-bin/ipv6calcweb.cgi # nc localhost 80 GET /cgi-bin/ipv6calcweb.cgi HTTP/1.1 Host: x HTTP/1.1 200 OK Date: Thu, 27 Apr 2006 14:41:10 GMT Server: Apache/2.0.52 (Red Hat) Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 356 <html> <head> <meta name="Author" content="Peter Bieringer"> <title>Addresstype information</title> </head> <body> <table border CELLSPACING=0> <tr> <th colspan="3">Your client</th> </tr> <tr> <td><b>IPV4</b></td> <td>IPv4 address</td> <td><tt>10.12.4.34</tt></td> </tr> <tr> <td><b>IPV4_REGISTRY</b></td> <td>Registry of IPv4 address</td> <td>IANA</td> </tr> <tr> <td colspan="3"> <font size=-2>Generated by ipv6calcweb.cgi 0.51, (P) & (C) 2002-2003 by Peter Bieringer</font><br> <font size=-2>Powered by <a href="http://www.deepspace6.net/projects/ipv6calc.html">ipv6calc</a> 0.51, (P) & (C) 2001-2006 by Peter Bieringer <pb (at) bieringer.de></font> </td> </tr> </table> </body> </html> 0 I try to debug around but running into a logging trouble. Not each HTTP request (done by curl) would trigger instant selinux log messages. After one request, selinux log something. Then on next request, nothing is logged, restarting httpd won't help, later on a next request, another (related but not similar) selinux appears in log. How is logging done in selinux, is there any cache inbetween? You are running in permissive mode. Only one avc message for a particular access is/per process is reported. Turn on enforcing mode and you should see all errors setenforce 1 Please attach avc messages. Dan I've transferred now my websites (not so mission critical than the others) to a more clean RHEL4 system. Currently no changes are made to selinux (*-src is not installed at the moment). # rpm -q selinux-policy-targeted selinux-policy-targeted-1.17.30-2.126 # getsebool -a allow_syslog_to_console --> inactive allow_ypbind --> inactive dhcpd_disable_trans --> inactive httpd_builtin_scripting --> active httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_tty_comm --> inactive httpd_unified --> active mysqld_disable_trans --> inactive named_disable_trans --> inactive named_write_master_zones --> inactive nscd_disable_trans --> inactive ntpd_disable_trans --> inactive pegasus_disable_trans --> inactive portmap_disable_trans --> inactive postgresql_disable_trans --> inactive snmpd_disable_trans --> inactive squid_disable_trans --> inactive syslogd_disable_trans --> inactive use_nfs_home_dirs --> inactive use_samba_home_dirs --> inactive use_syslogng --> active winbind_disable_trans --> inactive ypbind_disable_trans --> inactive selinux is enforced on this system. Let's start with an easy problem (only 2 avc messages per page) now again: $ curl mirrors.bieringer.de AddOutputFilter INCLUDES .html .shtml .pl .cgi SuexecUserGroup wwwgroup wwwgroup # Add automatic footer Action add-footer /cgi-bin/footer.cgi AddHandler add-footer .html causes: May 2 13:52:55 pib audit(1146570775.747:603): avc: denied { create } for pid=14823 comm="suexec" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket May 2 13:52:55 pib audit(1146570775.789:604): avc: denied { execute } for pid=14823 comm="footer.cgi" name="ld.so.cache" dev=md1 ino=240555 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t tclass=file # ls -Z footer.cgi -rwxr-x--- wwwgroup wwwgroup user_u:object_r:httpd_sys_script_exec_t footer.cgi footer.cgi is a small C program which put some HTML code taken from a txt file before the last /body /html tag. $ ldd footer.cgi libc.so.6 => /lib/tls/libc.so.6 (0x00365000) /lib/ld-linux.so.2 (0x0034c000) Note that if I enable SSL in /etc/ldap.conf I get one additional line per request: May 2 13:48:46 host audit(1146570526.091:595): avc: denied { read } for pid=14643 comm="suexec" name="cert.pem" dev=md1 ino=224719 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t tclass=lnk_file This issue is already known (but not solved): https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186258#c2 I've setup now identical webserver configs on both side with the result that *after* relabling both systems, on one side following additional message occurs: May 2 17:49:07 pib audit(1146584947.305:313): avc: denied { create } for pid=5979 comm="suexec" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket Not happen on the old system which causes all the other messages. How can I trace/compare this? BTW: have you ever heard about problems with hanging HTTP sessions and SELinux in enforcing mode? This had happen here since I start testing enforcing SELinux on our 2 productive web servers. After some time, suddenly, Apache no longer serves contents. If a request was triggered using telnet, I got a connect, but if I specify to get some contents, nothing happens. Restarting Apache helps for a moment (around 1/2 day). Afterwards, same issue occurs. After setting SELinux back to permissive and restarting httpd, everything works fine over weeks. The only message about SELinux in kernel log is the grant of the SELinux change, nothing else. That's very strange. Do you have any hints how can I debug such strange case, if happen again? This could be SELinux dontaudit causing the problem. You can turn off the dontaudits by installing policy sources and running cd /etc/selinux/targeted/src/policy make enableaudit make load Now you should get additional AVC messages in the logs. You can turn on enforcing mode and see if anything pops up. """ Note that if I enable SSL in /etc/ldap.conf I get one additional line per request: May 2 13:48:46 host audit(1146570526.091:595): avc: denied { read } for pid=14643 comm="suexec" name="cert.pem" dev=md1 ino=224719 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t tclass=lnk_file This issue is already known (but not solved): """ Did the policy update in BZ#186258 not solve that problem for you? This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Running the following script through Apache, called teste.sh: #!/bin/sh cat << EOF Content-type: text/html; hello<br> EOF ... Results on the following errors: avc: denied { create } for pid=11137 comm="suexec" context=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket avc: denied { read } for pid=11137 comm="suexec" name="cert.pem" dev=dm-0 ino=520401 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t tclass=lnk_file avc: denied { execute_no_trans } for pid=11137 comm="suexec" name="teste.sh" dev=dm-5 ino=16763 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file The first and second errors seems to have already been reported in this bug report and the second seems to be like BZ#186258. My booleans: httpd_builtin_scripting --> active httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> inactive httpd_ssi_exec --> inactive httpd_tty_comm --> inactive httpd_unified --> active kernel-2.6.9-42.0.2.EL selinux-policy-targeted-1.17.30-2.140 audit2allow suggested me these lines, and it worked: allow httpd_suexec_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow httpd_suexec_t httpd_sys_content_t:file execute_no_trans; allow httpd_suexec_t usr_t:lnk_file read; Now I've got other errors, but this new file had no errors - teste2.cgi.c: #include <stdio.h> int main() { printf("Content-type: text/html;\n\nhello<br>"); return 0; } Which booleans do you have turned on? getsebool httpd_unified allow httpd_suexec_t httpd_sys_content_t:file execute_no_trans; Should be allowed by this boolean. Fixed in selinux-policy-targeted-1.17.30-2.141 Daniel, can you please provide a package for testing? I only found 135 on your people.redhat.com directory. Updated This policy looks better now. Still I need 3 local rules, only one of them is suexec related: 1) # avc: denied { execute } for pid=12345 comm="footer.cgi" name="ld.so.cache" dev=md1 ino=123456 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t tclass=file Results in: allow httpd_sys_script_t ld_so_cache_t:file execute; Hm, should this be fixed? 2) # avc: denied { read write } for pid=26260 comm="suexec" name="[8071270]" dev=sockfs ino=8071270 scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_t tclass=tcp_socket allow httpd_suexec_t httpd_t:tcp_socket { read write }; -> that's a CGI client program, which connects to a local server via TCP. Perhaps a toggle should exist to allow this. 3) # avc: denied { read } for pid=27970 comm="ipv6calc-0.60.0" name="GeoLiteCity.dat" dev=md1 ino=275154 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:var_t tclass=file allow httpd_sys_script_t var_t:file { getattr read }; -> that's more a local issue, ipv6calc accessed a file stored in /var/local After rebooting the system I found, that in enforcing mode, the httpd no longer deliver any pages. It hangs after the GET request. I believe I've already seen this before. Unfortunately, no avc messages are logged to the kernel. Switching to permissive mode and restart httpd solves this. Any hints how to debug this issue? Peter Bieringer: Is the following package solution for your problem? http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/selinux-policy-targeted-1.17.30-2.143.noarch.rpm This new policy does't fix the issue from comment #32. Was comment #34 related to that issue? Here some log lines shown afterwards using "make enableaudit". BTW here: please fix Makefile to create a backup file of policy.conf for switching back to normal mode. Apr 4 13:26:00 server audit(1175685960.397:446): avc: granted { load_policy } for pid=31685 comm="load_policy" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Apr 4 13:27:32 server audit(1175686052.870:447): avc: granted { load_policy } for pid=32127 comm="load_policy" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Apr 4 13:27:43 server audit(1175686063.004:448): avc: granted { setenforce } for pid=32132 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Apr 4 13:28:15 server audit(1175686095.010:449): avc: granted { setenforce } for pid=32280 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Apr 4 13:29:04 server audit(1175686144.845:450): avc: granted { load_policy } for pid=32486 comm="load_policy" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Apr 4 13:29:04 server audit(1175686144.934:451): avc: denied { siginh } for pid=32487 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:04 server audit(1175686144.934:452): avc: denied { rlimitinh } for pid=32487 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:04 server audit(1175686144.935:453): avc: denied { noatsecure } for pid=32487 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:04 server audit(1175686144.938:454): avc: denied { search } for pid=32487 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:04 server audit(1175686144.939:455): avc: denied { use } for pid=32487 comm="suexec" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_suexec_t tcontext=user_u:system_r:nscd_t tclass=fd Apr 4 13:29:04 server audit(1175686144.939:456): avc: denied { read } for pid=32487 comm="suexec" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=file Apr 4 13:29:04 server audit(1175686144.940:457): avc: denied { getattr } for pid=32487 comm="suexec" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=file Apr 4 13:29:04 server audit(1175686144.942:458): avc: denied { siginh } for pid=32487 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:04 server audit(1175686144.942:459): avc: denied { rlimitinh } for pid=32487 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:04 server audit(1175686144.943:460): avc: denied { noatsecure } for pid=32487 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:16 server audit(1175686156.806:461): avc: granted { setenforce } for pid=32491 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Apr 4 13:29:19 server audit(1175686159.753:462): avc: denied { search } for pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:19 server audit(1175686159.754:463): avc: denied { search } for pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:19 server audit(1175686159.756:464): avc: denied { search } for pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:19 server audit(1175686159.756:465): avc: denied { search } for pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:19 server audit(1175686159.780:466): avc: denied { search } for pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:19 server audit(1175686159.781:467): avc: denied { search } for pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:25 server audit(1175686165.861:468): avc: denied { siginh } for pid=32629 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:25 server audit(1175686165.861:469): avc: denied { rlimitinh } for pid=32629 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:25 server audit(1175686165.861:470): avc: denied { noatsecure } for pid=32629 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:25 server audit(1175686165.866:471): avc: denied { search } for pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:25 server audit(1175686165.866:472): avc: denied { search } for pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:25 server audit(1175686165.872:473): avc: denied { search } for pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:25 server audit(1175686165.873:474): avc: denied { search } for pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:25 server audit(1175686165.878:475): avc: denied { search } for pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:25 server audit(1175686165.879:476): avc: denied { search } for pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:25 server audit(1175686165.884:477): avc: denied { siginh } for pid=32629 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:25 server audit(1175686165.884:478): avc: denied { rlimitinh } for pid=32629 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:25 server audit(1175686165.885:479): avc: denied { noatsecure } for pid=32629 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:34 server audit(1175686174.721:480): avc: denied { siginh } for pid=32632 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:34 server audit(1175686174.721:481): avc: denied { rlimitinh } for pid=32632 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:34 server audit(1175686174.721:482): avc: denied { noatsecure } for pid=32632 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:34 server audit(1175686174.723:483): avc: denied { search } for pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:34 server audit(1175686174.723:484): avc: denied { search } for pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:34 server audit(1175686174.730:485): avc: denied { search } for pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:34 server audit(1175686174.731:486): avc: denied { search } for pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:34 server audit(1175686174.736:487): avc: denied { search } for pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:34 server audit(1175686174.737:488): avc: denied { search } for pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:34 server audit(1175686174.742:489): avc: denied { siginh } for pid=32632 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:34 server audit(1175686174.742:490): avc: denied { rlimitinh } for pid=32632 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:34 server audit(1175686174.742:491): avc: denied { noatsecure } for pid=32632 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:52 server audit(1175686192.289:492): avc: denied { siginh } for pid=32639 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:52 server audit(1175686192.289:493): avc: denied { rlimitinh } for pid=32639 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:52 server audit(1175686192.289:494): avc: denied { noatsecure } for pid=32639 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:29:52 server audit(1175686192.292:495): avc: denied { search } for pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:52 server audit(1175686192.292:496): avc: denied { search } for pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:52 server audit(1175686192.301:497): avc: denied { search } for pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:52 server audit(1175686192.302:498): avc: denied { search } for pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:52 server audit(1175686192.307:499): avc: denied { search } for pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:52 server audit(1175686192.308:500): avc: denied { search } for pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:52 server audit(1175686192.313:501): avc: denied { siginh } for pid=32639 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:52 server audit(1175686192.313:502): avc: denied { rlimitinh } for pid=32639 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:52 server audit(1175686192.313:503): avc: denied { noatsecure } for pid=32639 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:29:57 server audit(1175686197.122:504): avc: granted { setenforce } for pid=32641 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Apr 4 13:29:59 server audit(1175686199.449:505): avc: denied { search } for pid=32654 comm="httpd" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:29:59 server audit(1175686199.452:506): avc: denied { use } for pid=32654 comm="httpd" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_t tcontext=user_u:system_r:nscd_t tclass=fd Apr 4 13:29:59 server audit(1175686199.452:507): avc: denied { read } for pid=32654 comm="httpd" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=file Apr 4 13:29:59 server audit(1175686199.452:508): avc: denied { getattr } for pid=32654 comm="httpd" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=file Apr 4 13:30:07 server audit(1175686207.171:509): avc: denied { siginh } for pid=402 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:30:07 server audit(1175686207.171:510): avc: denied { rlimitinh } for pid=402 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:30:07 server audit(1175686207.171:511): avc: denied { noatsecure } for pid=402 comm="suexec" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_suexec_t tclass=process Apr 4 13:30:07 server audit(1175686207.175:512): avc: denied { search } for pid=402 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Apr 4 13:30:07 server audit(1175686207.177:513): avc: denied { use } for pid=402 comm="suexec" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_suexec_t tcontext=user_u:system_r:nscd_t tclass=fd Apr 4 13:30:07 server audit(1175686207.177:514): avc: denied { read } for pid=402 comm="suexec" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=file Apr 4 13:30:07 server audit(1175686207.177:515): avc: denied { getattr } for pid=402 comm="suexec" name="passwd" dev=md1 ino=161712 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=file Apr 4 13:30:07 server audit(1175686207.181:516): avc: denied { siginh } for pid=402 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:30:07 server audit(1175686207.181:517): avc: denied { rlimitinh } for pid=402 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Apr 4 13:30:07 server audit(1175686207.181:518): avc: denied { noatsecure } for pid=402 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_sys_script_t tclass=process Looks like it needs to talk to nscd. Fixed in selinux-policy-targeted-1_17_30-2_145 Created attachment 151819 [details]
output from audit.log
Can you please push the 2.145 release to http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/ for testing? Thank you. 2.145 pushed to http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/ Josef. cgi scripts are not allowed to read kerberos or snmp information by default. You would have to write your own policy in order to allow this. This is true in RHEL4 and RHEL5. Are you sure that 145 reflects the mentioned changes from #36? My cgi scripts still hanging in enforcing mode, but playing around I found that all works fine if I add following rules to local.te, teached by audit2allow: allow httpd_suexec_t nscd_t:fd use; allow httpd_suexec_t nscd_var_run_t:dir search; allow httpd_suexec_t nscd_var_run_t:file { getattr read }; allow httpd_t nscd_t:fd use; allow httpd_t nscd_var_run_t:dir search; allow httpd_t nscd_var_run_t:file { getattr read }; BTW: digging through my local.te I found this one is still required: allow httpd_sys_script_t ld_so_cache_t:file execute; Log: Apr 10 16:48:20 server audit(1176216500.570:2997): avc: denied { execute } for pid=14493 comm="footer.cgi" name="ld.so.cache" dev=md1 ino=241238 scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t tclass=file "footer.cgi" is a small C program: # ldd /path/to/foo/footer.cgi libc.so.6 => /lib/tls/libc.so.6 (0x00230000) /lib/ld-linux.so.2 (0x00967000) Peter what is the context of footer.cgi? ls -lZ footer.cgi? I also don't understand the above comment does 145 work without your nscd rules? # ls -lZ /path/to/footer.cgi -r-xr-x--- user group user_u:object_r:httpd_sys_script_exec_t /path/to/footer/footer.cgi 145 without my additional nscd rules didn't work (page wouldn't be delivered), with my additional rules, all works fine. BTW: during heavy testing I found that my formail script also triggers denied messages during injection of the e-mail (sendmail is from postfix): allow system_mail_t self:netlink_route_socket { create bind getattr write nlmsg_read read }; But regardless of the denied messages, the e-mail is delivered in enforcing mode. I would only note that since last comment system is running fine now in enforcing mode. My current local.te contain just for cross-checking: ## Apache ## footer.cgi allow httpd_sys_script_t ld_so_cache_t:file execute; # CGI which uses a data file stored in /var/local (more local issue) allow httpd_sys_script_t var_t:file { getattr read }; # Sqwebmail (more local issue) allow httpd_sys_script_t var_t:sock_file write; allow httpd_sys_script_t initrc_t:unix_stream_socket connectto; ## suexec'ed cgi requires nscd requires nscd (already discussed) allow httpd_suexec_t nscd_t:fd use; allow httpd_suexec_t nscd_var_run_t:dir search; allow httpd_suexec_t nscd_var_run_t:file { getattr read }; allow httpd_t nscd_t:fd use; allow httpd_t nscd_var_run_t:dir search; allow httpd_t nscd_var_run_t:file { getattr read }; # formail allow system_mail_t self:netlink_route_socket { create bind getattr write nlmsg_read read }; # syslog-ng >= 2.0 allow syslogd_t var_t:dir { write add_name read }; allow syslogd_t var_t:file { create read write getattr }; An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0171.html After rebooting I ran still into troubles. Digging deeper (using make enableaudit), I found that 2 rules are still necessary for for selinux-policy-targeted-1.17.30-2.145 for proper running of httpd: allow httpd_suexec_t nscd_var_run_t:dir search; allow httpd_t nscd_var_run_t:dir search; Restart of httpd after change is required, too. Related log lines: Jun 27 11:22:11 host audit(1182936131.392:20): avc: denied { search } for pid=6719 comm="suexec" name="nscd" dev=md1 ino=400898 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir Jun 27 11:29:32 host audit(1182936572.209:170): avc: denied { search } for pid=8237 comm="httpd" name="nscd" dev=md1 ino=400898 scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir That is strange, you should not need that priv to be able to communicate with the nscd socket? Hmm, I don't know what causes this, but if I remove this priv, the httpd has major problems serving the pages, contents was delivered with timeouts. Note that since using selinux-policy-targeted-1.17.30-2.145, following local.te extensions were no longer required: allow httpd_suexec_t nscd_t:fd use; allow httpd_suexec_t nscd_var_run_t:file { getattr read }; allow httpd_t nscd_t:fd use; allow httpd_t nscd_var_run_t:file { getattr read }; Perhaps "nscd_var_run_t:file { getattr read };" requires "nscd_var_run_t:dir search;" before. We are not planning on updating RHEL4 policy so since this works well in RHEL5 I am closing this next release. |