Bug 1017588 - AVC denial httpd_suexec_t cannot read write httpd_tmp_t
Summary: AVC denial httpd_suexec_t cannot read write httpd_tmp_t
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.9
Hardware: All
OS: Linux
medium
low
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-10 08:27 UTC by Karel Srot
Modified: 2014-03-24 13:45 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-24 13:45:08 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Karel Srot 2013-10-10 08:27:26 UTC 
Description of problem:

httpd is configured to execute cgi script for 404 error (accessing page that does not exist)

It works but following AVC  appears:

type=AVC msg=audit(1381407420.316:209): avc:  denied  { read write } for  pid=3842 comm="suexec" path=2F746D702F2E4E5350522D41464D2D333739392D3262303233383662613437302E30202864656C6574656429 dev=dm-0 ino=4952181 scontext=root:system_r:httpd_suexec_t:s0 tcontext=root:object_r:httpd_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1381407420.316:209): arch=c000003e syscall=59 success=yes exit=0 a0=2b02273371a9 a1=2b02382e8818 a2=2b02382e7f68 a3=0 items=2 ppid=3802 pid=3842 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=2 comm="suexec" exe="/usr/sbin/suexec" subj=root:system_r:httpd_suexec_t:s0 key=(null)
type=EXECVE msg=audit(1381407420.316:209): argc=4 a0="/usr/sbin/suexec" a1="~501" a2="501" a3="printenv.cgi"
type=CWD msg=audit(1381407420.316:209):  cwd="/home/httpd001/public_html"
type=PATH msg=audit(1381407420.316:209): item=0 name="/usr/sbin/suexec" inode=4079386 dev=fc:00 mode=0104510 ouid=0 ogid=48 rdev=00:00 obj=system_u:object_r:httpd_suexec_exec_t:s0
type=PATH msg=audit(1381407420.316:209): item=1 name=(null) inode=16286015 dev=fc:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0


# sesearch -A -C -c httpd_suexec_t -t httpd_tmp_t -c file -p write
Found 10 av rules:
   allow httpd_sys_script_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow rpm_t httpd_tmp_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename }; 
   allow rpm_script_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
   allow httpd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; 
DT allow smbd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ samba_export_all_rw ]
DT allow ftpd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ allow_ftpd_full_access ]
DT allow mount_t httpd_tmp_t : file { ioctl read write getattr lock append mounton }; [ allow_mount_anyfile ]
ET allow nfsd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ nfs_export_all_rw ]
DT allow nmbd_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ samba_export_all_rw ]
ET allow kernel_t httpd_tmp_t : file { ioctl read write create getattr setattr lock append unlink link rename }; [ nfs_export_all_rw ]


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-338.el5
Comment 2 Milos Malik 2013-10-11 13:53:39 UTC 
----
type=SYSCALL msg=audit(10/11/2013 15:51:59.330:362) : arch=x86_64 syscall=execve success=yes exit=0 a0=2b261a1a11a9 a1=2b2635ee3138 a2=2b2635ee28d8 a3=0 items=0 ppid=22493 pid=22525 auid=root uid=apache gid=apache euid=root suid=root fsuid=root egid=apache sgid=apache fsgid=apache tty=(none) ses=27 comm=suexec exe=/usr/sbin/suexec subj=root:system_r:httpd_suexec_t:s0 key=(null) 
type=AVC msg=audit(10/11/2013 15:51:59.330:362) : avc:  denied  { read write } for  pid=22525 comm=suexec path=/tmp/.NSPR-AFM-22486-2b262edcb930.0 (deleted) dev=vda3 ino=1412481 scontext=root:system_r:httpd_suexec_t:s0 tcontext=root:object_r:httpd_tmp_t:s0 tclass=file 
----
Comment 3 Miroslav Grepl 2013-10-14 12:49:06 UTC 
So it works if you don't audit these AVC msg, right?
Comment 4 Karel Srot 2013-10-15 07:31:57 UTC 
For some reason I cannot reproduce this bug anymore.. Maybe it will appear in future runs. 
Anyway, the httpd seemed to be working properly, even though the AVC appeared.
Let's keep this BZ opened and if there won't be any update till 5.11 we will close it.
Comment 5 Miroslav Grepl 2013-12-09 14:27:00 UTC 
(In reply to Karel Srot from comment #4)
> For some reason I cannot reproduce this bug anymore.. Maybe it will appear
> in future runs. 
> Anyway, the httpd seemed to be working properly, even though the AVC
> appeared.
> Let's keep this BZ opened and if there won't be any update till 5.11 we will
> close it.

I agree.
Comment 6 RHEL Program Management 2014-01-22 16:24:32 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Note You need to log in before you can comment on or make changes to this bug.