Bug 446380
Summary: | selinux policy prevents suexec cgi scripts | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Bradley <bbaetz> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 10 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-11-18 13:04:16 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Bradley
2008-05-14 12:39:47 UTC
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-52.fc9 That worked, although I had to repeat it several times to allow execute, read, execute_no_trans and ioctl That then works, but a slightly more complicated script fails to write to mysql.sock. I suspect that you've done this more generically, but your change hasn't hit cvsweb yet so I can't check. I'll pull the build off koji when it appears. Thanks for the quick response! Hasn't even been built yet. I will build it later today. Please attach the entire audit.log so I am sure my fix would fix your problem Created attachment 305364 [details]
audit.log
Attached. This includes me using a local bugzilla instance too - needed
write/connect to the mysql socket and read from a few directories as well
With selinux-policy-targeted-3.3.1-55.fc9.noarch this is still failing: host=plum.home type=AVC msg=audit(1212464225.654:2382): avc: denied { getattr } for pid=23170 comm="suexec" path="/home/bbaetz/public_html/bugzilla/index.cgi" dev=dm-0 ino=15619979 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file host=plum.home type=SYSCALL msg=audit(1212464225.654:2382): arch=c000003e syscall=6 success=no exit=-13 a0=7fffeb2c9c3a a1=7fffeb2c6870 a2=7fffeb2c6870 a3=7fffeb2c65c0 items=0 ppid=23085 pid=23170 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec" exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null) and: host=plum.home type=AVC msg=audit(1212464467.443:2431): avc: denied { search } for pid=23458 comm="index.cgi" name="mysql" dev=dm-0 ino=1865954 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir host=plum.home type=SYSCALL msg=audit(1212464467.443:2431): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffff9fa0ec0 a2=6e a3=7ffff9fa0290 items=0 ppid=23088 pid=23458 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="index.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null) Fixed in selinux-policy-3.3.1-66.fc9.noarch Still broken in selinux-policy-3.3.1-67.fc9.noarch, and I don't see anything in the changelog matching this bug - same set of errors as in comment 2. Seems like I hit the first one but missed the mysql one. You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-68.fc9.noarch Nope. If I remove mypol again, I still get the original host=plum.home type=AVC msg=audit(1214307838.97:149): avc: denied { getattr } for pid=12588 comm="suexec" path="/home/bbaetz/public_html/bugzilla/index.cgi" dev=dm-0 ino=15619979 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file host=plum.home type=SYSCALL msg=audit(1214307838.97:149): arch=c000003e syscall=6 success=no exit=-13 a0=7fff9aaf7c2a a1=7fff9aaf4090 a2=7fff9aaf4090 a3=7fff9aaf3de0 items=0 ppid=12564 pid=12588 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec" exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null) error, as well as the followup set in the attachment. selinux-policy-3.3.1-70.fc9.noarch selinux-policy-devel-3.3.1-70.fc9.noarch selinux-policy-targeted-3.3.1-70.fc9.noarch All downloaded from koji. The mypol.te file generated from audit2allow includes: #============= httpd_suexec_t ============== allow httpd_suexec_t httpd_user_content_t:dir { read write add_name remove_name }; allow httpd_suexec_t httpd_user_content_t:file { rename execute setattr read create getattr execute_no_trans write ioctl unlink }; allow httpd_suexec_t mysqld_db_t:dir search; allow httpd_suexec_t mysqld_t:unix_stream_socket connectto; allow httpd_suexec_t mysqld_var_run_t:sock_file write; This is still happening, selinux-policy-targeted-3.3.1-95.fc9.noarch Same errors in current rawhide This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Closing as closed in the current release. |