Red Hat Bugzilla – Bug 1255358
Selinux blocks user CGI scripts when httpd is configured to use worker or event MPM
Last modified: 2015-08-21 04:28:32 EDT
Description of problem: Selinux blocks user CGI scripts when httpd is configured to use worker or event MPM Version-Release number of selected component (if applicable): 3.13.1-23.el7_1.13 How reproducible: Always Steps to Reproduce: #1. Install httpd yum install httpd #2. Enable userdir and CGI in userdir # Uncomment CGI handler sed -i -r 's/#(AddHandler cgi-script)/\1/' /etc/httpd/conf/httpd.conf # Comment "UserDir disabled" sed -i 's/UserDir disabled/#\0/' /etc/httpd/conf.d/userdir.conf # Uncomment "UserDir public_html" sed -i -r 's/#(UserDir public_html)/\1/' /etc/httpd/conf.d/userdir.conf # Add "ExecCGI" to "Options" sed -i -r 's/Options/\0 ExecCGI/' /etc/httpd/conf.d/userdir.conf # Allow home directory access in SElinux setsebool -P httpd_enable_homedirs=on #3. Create a test user and a test CGI script useradd test chmod a+x ~test mkdir ~test/public_html echo '#!/bin/bash' >> ~test/public_html/index.cgi echo >> ~test/public_html/index.cgi echo 'echo "Content-Type: text/plain"' >> ~test/public_html/index.cgi echo 'echo' >> ~test/public_html/index.cgi echo 'echo "Hello world!"' >> ~test/public_html/index.cgi chown test.test ~test/public_html -R chmod a+x ~test/public_html/index.cgi chcon -t httpd_user_script_exec_t ~test/public_html/index.cgi #4. Start httpd and test that it is working (returns "Hello world!"): systemctl start httpd curl http://localhost/~test/index.cgi #5. Enable worker or event MPM and restart httpd sed -i -r 's/^LoadModule/#\0/' /etc/httpd/conf.modules.d/00-mpm.conf sed -i -r 's/#(LoadModule mpm_worker_module)/\1/' /etc/httpd/conf.modules.d/00-mpm.conf #5. Restart httpd and test that it isn't working (returns "500 Internal Server Error"): systemctl restart httpd curl http://localhost/~test/index.cgi #5. Disable SElinux and test that it is working (returns "Hello world!"): setenforce 0 curl http://localhost/~test/index.cgi #6. Check AVC (has to disable dontaudit to show anything) yum install policycoreutils-python semodule -DB audit2allow -l < /var/log/audit/audit.log Actual results: #============= httpd_suexec_t ============== allow httpd_suexec_t httpd_t:unix_stream_socket { read write }; allow httpd_suexec_t httpd_user_script_t:process { siginh rlimitinh noatsecure }; #============= httpd_t ============== allow httpd_t httpd_suexec_t:process { siginh rlimitinh noatsecure }; Additional info: This really is CentOS7. But I'm pretty sure that RHEL7 is also affected.
Yes, We have. commit 7003e2b565cd96c65293b86efa7b55a3fb15fd57 Author: Simon Sekidde <ssekidde@redhat.com> Date: Tue Jul 21 09:33:06 2015 -0400 Allow httpd_suexec_t to read and write Apache stream sockets Resolves:#1243569
*** This bug has been marked as a duplicate of bug 1243569 ***