Bug 974313

Summary: nodejs segfaults when used with SELinux enforcing and setsebool httpd_execmem off
Product: [Fedora] Fedora Reporter: Joe Honton <joe>
Component: nodejsAssignee: T.C. Hollingsworth <tchollingsworth>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jamielinux, mrunge, sgallagh, tchollingsworth, thrcka
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-14 01:24:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Honton 2013-06-13 23:24:41 UTC
Description of problem:
nodejs segfaults when used with SELinux enforcing and setsebool httpd_execmem off. Instead of segfaulting, it should issue an AVC denial.

Version-Release number of selected component (if applicable):
0.10.6-1.fc20

How reproducible:
Run a PHP script using Apache such as:
<?php shell_exec( "/usr/bin/node /var/www/virtual-hosts/example.com/bin/topojson -p -o /tmp/outfile /tmp/infile" ); ?>

Steps to Reproduce:
1. # setenforce 1
2. # setsebool httpd_execmem off
3. Run a PHP script using Apache: <?php shell_exec( "/usr/bin/node /var/www/virtual-hosts/example.com/bin/topojson -p -o /tmp/outfile /tmp/infile" ); ?>

Actual results:
/var/log/messages contains this message:
Jun 13 14:30:32 ce008 kernel: [4067406.839668] node[27735]: segfault at 20 ip 00007f14cf27905f sp 00007fffb431eda0 error 4 in libv8.so.3.14.5[7f14cef2c000+54f000]


Expected results:
/var/log/messages should contain a SELinux AVC denial message referencing "execmem" to give us a clue to enable httpd_execmem.


Additional info:
Apache 2.2.23-1.fc17
PHP 5.4.14-1.fc17 
selinux-policy.noarch 3.10.0-167.fc17
topojson github commit 7d07ec67a62ca57dbfd4472cb2a8bbc6fe8bd2f5

Comment 1 T.C. Hollingsworth 2013-06-14 01:24:58 UTC
This works for me:

% cat /var/www/html/nodetest.php 
<?php 
header("Content-Type: text/plain");
system("/usr/bin/node -pe process.version");

% sudo getsebool httpd_execmem
httpd_execmem --> off

% curl http://localhost/nodetest.php               

% sudo ausearch -m avc -ts recent
----
time->Thu Jun 13 18:20:27 2013
type=SYSCALL msg=audit(1371172827.650:870): arch=c000003e syscall=9 success=no exit=-13 a0=3d57a8f77000 a1=1000 a2=7 a3=22 items=0 ppid=6700 pid=6886 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="node" exe="/usr/bin/node" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1371172827.650:870): avc:  denied  { execmem } for  pid=6886 comm="node" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
----
time->Thu Jun 13 18:20:27 2013
type=SYSCALL msg=audit(1371172827.650:869): arch=c000003e syscall=9 success=no exit=-13 a0=3dd9286f000 a1=1000 a2=7 a3=32 items=0 ppid=6700 pid=6886 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="node" exe="/usr/bin/node" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1371172827.650:869): avc:  denied  { execmem } for  pid=6886 comm="node" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

% sudo setsebool httpd_execmem on

% curl http://localhost/nodetest.php               
v0.10.10

I'm not sure why you're not getting an AVC.  You appear to be using a Rawhide nodejs on F17??  That is...unsupported...to say the least.  We don't support nodejs on F17 at all due to its OpenSSL not being compatible.

Please let us know if you can reproduce on F18 or later.