Bug 193201

Summary: SELinux strict policy blocks CGI execution
Product: [Fedora] Fedora Reporter: M. Kristall <mkpdev>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 43.fc5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-06-08 15:58:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description M. Kristall 2006-05-26 00:29:15 UTC 
I searched for httpd and apache under the selinux components and couldn't find
any results. So I guess this is new.


Description of problem:
With strict policy selected, httpd cannot run CGIs.

Version-Release number of selected component (if applicable):
selinux-policy 2.2.40-1.fc5
httpd 2.2.0-5.1.2

How reproducible:
Always

Steps to Reproduce:
1. In gnome, System > Administration > Security Level and Firewall
2. In the SELinux tab, set SELinux Setting to "Enforcing", click OK
3. Request something like http://localhost/path/to/some/file.cgi
4. tail -n2 /var/log/httpd/error_log
  
Actual results:
(13)Permission denied: exec of '/var/www/html/some/file.cgi' failed
Premature end of script headers: file.cgi

Expected results:
The CGI should run fine.


Additional info:
I did not manually edit the selinux policy. I always have the "SELinux Setting"
on Enforcing, and (because I'm lazy and don't want to have to learn about how to
configure SELinux :-( ) I use the Security Level Configuration program for
tuning the SELinux policy.
I usually have the following checked under "HTTPD Service":
Allow HTTPD cgi support
Allow HTTPD scripts and modules to connect to the network.
Allow HTTPD to support build-in scripting
Unify HTTPD handling of all content files.
Unify HTTPD to communicate with the terminal.

According to my Apache logs, the last time I actually ran any CGIs with this
computer was on May 15 (really, it was that long?). It worked then. Since then I
have not adjusted the SELinux policy or changed the Apache configuration, or the
CGIs' permissions. Neither of the last two are the problem: switching the policy
to Permissive, or disabling SELinux makes things work as expected.

Enabling "Disable SELinux protection for HTTPD" does not seem to do anything.

I'd assume that I did something wrong, but I haven't made any changes in a while
and it was working but now it is not.


(I can't confirm this on any other systems, but I assume this effects all
architectures since selinux-policy is platform independent... right?)
Comment 1 Daniel Walsh 2006-05-26 09:52:55 UTC 
Are you seeing AVC messages in your /var/log/messages or
/var/log/audit/audit.log file?
Comment 2 M. Kristall 2006-05-26 17:32:02 UTC 
In /var/log/messages I see repeated (obviously with different times):

May 26 13:33:04 localhost kernel: audit(1148664784.449:11): avc:  denied  {
entrypoint } for  pid=2683 comm="httpd" name="gbook.cgi" dev=dm-0 ino=11930847
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file

I don't have /var/log/audit
Comment 3 M. Kristall 2006-05-28 15:33:57 UTC 
Okay, I was able to test this on a different FC5 system to make sure I didn't
screw something up and I got basically the same thing (though this one has
/var/log/audit and the avc message was in /var/log/audit/audit.log instead).

I get this even with the scripts in cgi-bin.
Comment 4 Daniel Walsh 2006-06-06 16:38:35 UTC 
Fixed in 2.2.43-3.fc5
Comment 5 M. Kristall 2006-06-08 00:31:30 UTC 
Thanks :-)