Bug 446380

Summary:

selinux policy prevents suexec cgi scripts

Product:

[Fedora] Fedora

Reporter:

Bradley <bbaetz>

Component:

selinux-policy-targeted

Assignee:

Daniel Walsh <dwalsh>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Ben Levenson <benl>

Severity:

high

Docs Contact:

Priority:

low

Version:

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2009-11-18 13:04:16 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
audit.log	none

Description Bradley 2008-05-14 12:39:47 UTC

Description of problem:

Upgraded to F9 today. suexec'd cgi scripts no longer work

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.3.1-42.fc9

I also tried selinux-policy-targeted-3.3.1-51.fc9 from koji; no change.

How reproducible:

Always

Steps to Reproduce:
1. Create /home/user/public_html/foo.cgi:

#!/usr/bin/perl -w

print "Content-Type: text/plain\r\n";
print "\r\n";
print "TEST";

2. go to http://localhost/~user/foo.cgi
  
Actual results:

selinux denial (see below)

Expected results:

script works

Additional info:

setroubleshoot says:

Summary:

SELinux is preventing suexec (httpd_suexec_t) "getattr" to
/home/bbaetz/public_html/foo.cgi (httpd_user_content_t).

Detailed Description:

SELinux denied access requested by suexec. It is not expected that this access
is required by suexec and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /home/bbaetz/public_html/foo.cgi,

restorecon -v '/home/bbaetz/public_html/foo.cgi'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:httpd_suexec_t:s0
Target Context                unconfined_u:object_r:httpd_user_content_t:s0
Target Objects                /home/bbaetz/public_html/foo.cgi [ file ]
Source                        suexec
Source Path                   /usr/sbin/suexec
Port                          <Unknown>
Host                          plum.home
Source RPM Packages           httpd-2.2.8-3
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-51.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     plum.home
Platform                      Linux plum.home 2.6.25-14.bb.fc9.x86_64 #1 SMP Wed
                              May 14 13:18:19 EST 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 14 May 2008 22:33:19 EST
Last Seen                     Wed 14 May 2008 22:33:19 EST
Local ID                      0c717ee3-5248-4ac0-9090-339a524b5731
Line Numbers                  

Raw Audit Messages            

host=plum.home type=AVC msg=audit(1210768399.417:111): avc:  denied  { getattr }
for  pid=12911 comm="suexec" path="/home/bbaetz/public_html/foo.cgi" dev=dm-0
ino=7990381 scontext=unconfined_u:system_r:httpd_suexec_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=file

host=plum.home type=SYSCALL msg=audit(1210768399.417:111): arch=c000003e
syscall=6 success=no exit=-13 a0=7fff0ee34c37 a1=7fff0ee313e0 a2=7fff0ee313e0
a3=7fff0ee31130 items=0 ppid=12676 pid=12911 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="suexec"
exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null)

# getsebool -a | grep httpd
allow_httpd_anon_write --> on
allow_httpd_dbus_avahi --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_ssi_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off

Comment 1 Daniel Walsh 2008-05-14 13:10:11 UTC

You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-52.fc9

Comment 2 Bradley 2008-05-14 13:29:13 UTC

That worked, although I had to repeat it several times to allow execute, read,
execute_no_trans and ioctl

That then works, but a slightly more complicated script fails to write to
mysql.sock. I suspect that you've done this more generically, but your change
hasn't hit cvsweb yet so I can't check. I'll pull the build off koji when it
appears.

Thanks for the quick response!

Comment 3 Daniel Walsh 2008-05-14 13:37:21 UTC

Hasn't even been built yet.  I will build it later today.

Please attach the entire audit.log so I am sure my fix would fix your problem

Comment 4 Bradley 2008-05-14 14:09:28 UTC

Created attachment 305364 [details]
audit.log

Attached. This includes me using a local bugzilla instance too - needed
write/connect to the mysql socket and read from a few directories as well

Comment 5 Bradley 2008-06-03 03:43:29 UTC

With selinux-policy-targeted-3.3.1-55.fc9.noarch this is still failing:

host=plum.home type=AVC msg=audit(1212464225.654:2382): avc: denied { getattr }
for pid=23170 comm="suexec" path="/home/bbaetz/public_html/bugzilla/index.cgi"
dev=dm-0 ino=15619979 scontext=unconfined_u:system_r:httpd_suexec_t:s0
tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file host=plum.home 

type=SYSCALL msg=audit(1212464225.654:2382): arch=c000003e syscall=6 success=no
exit=-13 a0=7fffeb2c9c3a a1=7fffeb2c6870 a2=7fffeb2c6870 a3=7fffeb2c65c0 items=0
ppid=23085 pid=23170 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec"
exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null) 

and:

host=plum.home type=AVC msg=audit(1212464467.443:2431): avc: denied { search }
for pid=23458 comm="index.cgi" name="mysql" dev=dm-0 ino=1865954
scontext=unconfined_u:system_r:httpd_suexec_t:s0
tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir host=plum.home

type=SYSCALL msg=audit(1212464467.443:2431): arch=c000003e syscall=42 success=no
exit=-13 a0=3 a1=7ffff9fa0ec0 a2=6e a3=7ffff9fa0290 items=0 ppid=23088 pid=23458
auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) ses=1 comm="index.cgi" exe="/usr/bin/perl"
subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null)

Comment 6 Daniel Walsh 2008-06-05 18:27:32 UTC

Fixed in selinux-policy-3.3.1-66.fc9.noarch

Comment 7 Bradley 2008-06-18 02:34:33 UTC

Still broken in selinux-policy-3.3.1-67.fc9.noarch, and I don't see anything in
the changelog matching this bug - same set of errors as in comment 2.

Comment 8 Daniel Walsh 2008-06-22 11:03:29 UTC

Seems like I hit the first one but missed the mysql one.

You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-68.fc9.noarch

Comment 9 Bradley 2008-06-24 11:50:53 UTC

Nope. If I remove mypol again, I still get the original

host=plum.home type=AVC msg=audit(1214307838.97:149): avc: denied { getattr }
for pid=12588 comm="suexec" path="/home/bbaetz/public_html/bugzilla/index.cgi"
dev=dm-0 ino=15619979 scontext=unconfined_u:system_r:httpd_suexec_t:s0
tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file host=plum.home
type=SYSCALL msg=audit(1214307838.97:149): arch=c000003e syscall=6 success=no
exit=-13 a0=7fff9aaf7c2a a1=7fff9aaf4090 a2=7fff9aaf4090 a3=7fff9aaf3de0 items=0
ppid=12564 pid=12588 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec"
exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null) 

error, as well as the followup set in the attachment.

selinux-policy-3.3.1-70.fc9.noarch
selinux-policy-devel-3.3.1-70.fc9.noarch
selinux-policy-targeted-3.3.1-70.fc9.noarch

All downloaded from koji. The mypol.te file generated from audit2allow includes:

#============= httpd_suexec_t ==============
allow httpd_suexec_t httpd_user_content_t:dir { read write add_name remove_name };
allow httpd_suexec_t httpd_user_content_t:file { rename execute setattr read
create getattr execute_no_trans write ioctl unlink };
allow httpd_suexec_t mysqld_db_t:dir search;
allow httpd_suexec_t mysqld_t:unix_stream_socket connectto;
allow httpd_suexec_t mysqld_var_run_t:sock_file write;

Comment 10 Bradley 2008-10-13 00:01:14 UTC

This is still happening, selinux-policy-targeted-3.3.1-95.fc9.noarch

Comment 11 Bradley 2008-11-16 05:13:01 UTC

Same errors in current rawhide

Comment 12 Bug Zapper 2008-11-26 02:15:52 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 13 Bug Zapper 2009-11-18 09:34:22 UTC

This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 14 Daniel Walsh 2009-11-18 13:04:16 UTC

Closing as closed in the current release.