Bug 1255358 - Selinux blocks user CGI scripts when httpd is configured to use worker or event MPM
Selinux blocks user CGI scripts when httpd is configured to use worker or eve...
Status: CLOSED DUPLICATE of bug 1243569
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity low
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2015-08-20 07:19 EDT by Tomasz Ostrowski
Modified: 2015-08-21 04:28 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-37.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-08-21 04:28:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomasz Ostrowski 2015-08-20 07:19:36 EDT
Description of problem:
Selinux blocks user CGI scripts when httpd is configured to use worker or event MPM

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

#1. Install httpd
yum install httpd

#2. Enable userdir and CGI in userdir
# Uncomment CGI handler
sed -i -r 's/#(AddHandler cgi-script)/\1/' /etc/httpd/conf/httpd.conf
# Comment "UserDir disabled"
sed -i 's/UserDir disabled/#\0/' /etc/httpd/conf.d/userdir.conf
# Uncomment "UserDir public_html"
sed -i -r 's/#(UserDir public_html)/\1/' /etc/httpd/conf.d/userdir.conf
# Add "ExecCGI" to "Options"
sed -i -r 's/Options/\0 ExecCGI/' /etc/httpd/conf.d/userdir.conf
# Allow home directory access in SElinux
setsebool -P httpd_enable_homedirs=on

#3. Create a test user and a test CGI script
useradd test
chmod a+x ~test
mkdir ~test/public_html
echo '#!/bin/bash' >> ~test/public_html/index.cgi
echo >> ~test/public_html/index.cgi
echo 'echo "Content-Type: text/plain"' >> ~test/public_html/index.cgi
echo 'echo' >> ~test/public_html/index.cgi
echo 'echo "Hello world!"' >> ~test/public_html/index.cgi
chown test.test ~test/public_html -R
chmod a+x ~test/public_html/index.cgi
chcon -t httpd_user_script_exec_t ~test/public_html/index.cgi

#4. Start httpd and test that it is working (returns "Hello world!"):
systemctl start httpd
curl http://localhost/~test/index.cgi

#5. Enable worker or event MPM and restart httpd
sed -i -r 's/^LoadModule/#\0/' /etc/httpd/conf.modules.d/00-mpm.conf
sed -i -r 's/#(LoadModule mpm_worker_module)/\1/' /etc/httpd/conf.modules.d/00-mpm.conf

#5. Restart httpd and test that it isn't working (returns "500 Internal Server Error"):
systemctl restart httpd
curl http://localhost/~test/index.cgi

#5. Disable SElinux and test that it is working (returns "Hello world!"):
setenforce 0
curl http://localhost/~test/index.cgi

#6. Check AVC (has to disable dontaudit to show anything)
yum install policycoreutils-python
semodule -DB
audit2allow -l < /var/log/audit/audit.log

Actual results:
#============= httpd_suexec_t ==============
allow httpd_suexec_t httpd_t:unix_stream_socket { read write };
allow httpd_suexec_t httpd_user_script_t:process { siginh rlimitinh noatsecure };

#============= httpd_t ==============
allow httpd_t httpd_suexec_t:process { siginh rlimitinh noatsecure };

Additional info:
This really is CentOS7. But I'm pretty sure that RHEL7 is also affected.
Comment 3 Lukas Vrabec 2015-08-21 04:15:17 EDT
Yes, We have. 

commit 7003e2b565cd96c65293b86efa7b55a3fb15fd57
Author: Simon Sekidde <ssekidde@redhat.com>
Date:   Tue Jul 21 09:33:06 2015 -0400

    Allow httpd_suexec_t to read and write Apache stream sockets Resolves:#1243569
Comment 4 Lukas Vrabec 2015-08-21 04:28:32 EDT

*** This bug has been marked as a duplicate of bug 1243569 ***

Note You need to log in before you can comment on or make changes to this bug.