Bug 197473

Summary: selinux policy for apache denies shell commands via PHP
Product: [Fedora] Fedora Reporter: Carl Roth <roth>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-28 20:04:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Carl Roth 2006-07-02 18:04:05 UTC 
Description of problem:

The apache.te file in the selinux targeted policy for FC5 allows for Apache to
invoke commands in bin (corecmd_exec_bin) and sbin (corecmd_exec_sbin), but it
does not allow shell scripts (corecmd_exec_shell).

This means that the back-tick operator in PHP scripts does not work.  By
default, the back-tick expansion invokes /bin/sh on the script.

Version-Release number of selected component (if applicable):

This was found on selinux-policy-targeted-2.2.43-4.fc5 on a PPC.

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2006-07-11 18:38:57 UTC 
If you set the httpd_ssi_exec boolean does it fix your problem

setsebool -P httpd_ssi_exec=1
Comment 2 Carl Roth 2006-07-29 16:07:44 UTC 
Sorry for the delayed response.

No, that doesn't fix the problem.  That bool was enabled on my system in the
first place.
Comment 3 Daniel Walsh 2006-07-31 12:58:36 UTC 
Could you attach the avc messages generated?
Comment 4 Carl Roth 2006-07-31 16:44:49 UTC 
The latest system I tried this on is running selinux-policy-targeted 2.3.2, and
it no longer exhibits this problem.  The only issue I'm seeing now with PHP
scripts is the eventpollfs issue:

type=AVC msg=audit(1154363527.022:74215): avc:  denied  { read } for  pid=27588
comm="sh" name="[14015870]" dev=eventpollfs ino=14015870 scontext=user_u:system_
r:httpd_sys_script_t:s0 tcontext=system_u:object_r:eventpollfs_t:s0 tclass=file
type=SYSCALL msg=audit(1154363527.022:74215): arch=40000003 syscall=11 success=y
es exit=0 a0=668f77 a1=bfac8c0c a2=bfacc91c a3=400 items=2 pid=27588 auid=500 ui
d=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="s
h" exe="/bin/bash" subj=user_u:system_r:httpd_sys_script_t:s0
type=AVC_PATH msg=audit(1154363527.022:74215):  path="eventpoll:[14015870]"
type=CWD msg=audit(1154363527.022:74215):  cwd="/var/www/html/phpwims"
type=PATH msg=audit(1154363527.022:74215): item=0 name="/bin/sh" inode=2981976 d
ev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_
t:s0

I fixed this by adding

  gen_require(`
    type httpd_sys_script_t;
  ')

  fs_read_eventpollfs(httpd_sys_script_t)


to my local configuration.
Comment 5 Daniel Walsh 2007-03-28 20:04:13 UTC 
Closing bugs