1260306 – Improper SELinux contexts for nagios cgi executables

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1260306 - Improper SELinux contexts for nagios cgi executables

Summary: Improper SELinux contexts for nagios cgi executables

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Jan Zarsky
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1260303 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-05 20:22 UTC by Sachi
Modified:	2016-11-04 02:21 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-66.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 02:21:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
sealert log (2.78 KB, text/plain) 2015-09-05 20:23 UTC, Sachi	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2283	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2016-11-03 13:36:25 UTC

Description Sachi 2015-09-05 20:22:27 UTC

Description of problem: Selinux denies httpd exec action on cgi scripts due to wrong contexts


Version-Release number of selected component (if applicable): selinux-policy.noarch 3.13.1-23.el7_1.13


How reproducible: Always


Steps to Reproduce:
1. Install Nagios and plugins according to https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/quickstart-fedora.html, and **don't disable selinux or put it to permissive mode**
2. try to login to http:/localhost/nagios (or equivalent)
3. Check selinux audit log for denied messages (might need to disable dontaudit `#semodule --disable_dontaudit --build`

Actual results: httpd denied exec action, leading to an error in the web (http://localhost/nagios)

error message: type=AVC msg=audit(1441480084.865:710): avc:  denied  { execute } for  pid=5444 comm="httpd" name="statusjson.cgi" dev="dm-1" ino=135240040 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

Check the attached sealert log for details

----------------

Expected results: No denied message and nagios web works similar to when selinux is off


Additional info:
Changing the security contexts of the cgi scripts from 
httpd_sys_content_t to httpd_sys_script_exec_t seem to work
Ex:
chcon -R -t httpd_sys_script_exec_t /usr/local/nagios/sbin

Comment 1 Sachi 2015-09-05 20:23:00 UTC

Created attachment 1070529 [details]
sealert log

Comment 3 Lukas Vrabec 2015-09-06 18:29:20 UTC

*** Bug 1260303 has been marked as a duplicate of this bug. ***

Comment 4 Milos Malik 2015-09-07 08:33:26 UTC

# sesearch -s httpd_t -t httpd_sys_content_t -c file -p execute -A -C
Found 1 semantic av rules:
DT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]
#

Which of following booleans are enabled on your machine?
 * httpd_enable_cgi
 * httpd_unified
 * httpd_builtin_scripting

Comment 5 Sachi 2015-09-07 19:11:32 UTC

$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
$ getsebool httpd_unified
httpd_unified --> off
$ getsebool httpd_builtin_scripting
httpd_builtin_scripting --> on

it says sesearch - command not found!

Comment 6 Sachi 2015-09-07 19:15:51 UTC

nvm, didn't know I had to install setools-console.

# sesearch -s httpd_t -t httpd_sys_content_t -c file -p execute -A -C
Found 1 semantic av rules:
DT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]

Comment 7 Sachi 2015-09-07 19:26:00 UTC

Alright, setting the boolean

httpd_unified --> on

works. So that is the solution? (Sorry when I posted this on stackof I was said to file a bug report!)

Comment 8 Milos Malik 2015-09-08 06:45:52 UTC

Yes, the enabling of httpd_unified boolean is the solution, but I must admit that the boolean documentation needs some improvements. I don't understand the purpose of the boolean either :-)

# man httpd_selinux | col -b | grep -C 2 unified

       If you want to unify HTTPD handling of all content files, you must turn
       on the httpd_unified boolean. Disabled by default.

       setsebool -P httpd_unified 1
#

Comment 9 Miroslav Grepl 2015-09-08 18:24:17 UTC

Where is statusjson.cgi located? You could also change a labeling for it.

httpd_unified boolean is powerfull.

Comment 10 Sachi 2015-09-08 19:49:10 UTC

Yes, I had changed the context on those files to "httpd_sys_script_exec_t", and it worked. What should be the best solution?

Comment 11 Miroslav Grepl 2015-09-10 15:15:18 UTC

(In reply to Sachi from comment #10)
> Yes, I had changed the context on those files to "httpd_sys_script_exec_t",
> and it worked. What should be the best solution?

Yes, this is a better solution. We could also think about a new policy but if it works correct, it is fine to have httpd_sys_script_exec_t labeling.

Comment 12 Sachi 2015-09-11 00:14:09 UTC

Ok, that's kool. Thx.

Comment 14 Mike McCune 2016-03-28 22:59:28 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 18 errata-xmlrpc 2016-11-04 02:21:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.