Bug 1260306 - Improper SELinux contexts for nagios cgi executables
Improper SELinux contexts for nagios cgi executables
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.3
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Jan Zarsky
: SELinux
: 1260303 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-05 16:22 EDT by Sachi
Modified: 2016-11-03 22:21 EDT (History)
7 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-66.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-03 22:21:54 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sealert log (2.78 KB, text/plain)
2015-09-05 16:23 EDT, Sachi
no flags Details

  None (edit)
Description Sachi 2015-09-05 16:22:27 EDT
Description of problem: Selinux denies httpd exec action on cgi scripts due to wrong contexts


Version-Release number of selected component (if applicable): selinux-policy.noarch 3.13.1-23.el7_1.13


How reproducible: Always


Steps to Reproduce:
1. Install Nagios and plugins according to https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/quickstart-fedora.html, and **don't disable selinux or put it to permissive mode**
2. try to login to http:/localhost/nagios (or equivalent)
3. Check selinux audit log for denied messages (might need to disable dontaudit `#semodule --disable_dontaudit --build`

Actual results: httpd denied exec action, leading to an error in the web (http://localhost/nagios)

error message: type=AVC msg=audit(1441480084.865:710): avc:  denied  { execute } for  pid=5444 comm="httpd" name="statusjson.cgi" dev="dm-1" ino=135240040 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

Check the attached sealert log for details

----------------

Expected results: No denied message and nagios web works similar to when selinux is off


Additional info:
Changing the security contexts of the cgi scripts from 
httpd_sys_content_t to httpd_sys_script_exec_t seem to work
Ex:
chcon -R -t httpd_sys_script_exec_t /usr/local/nagios/sbin
Comment 1 Sachi 2015-09-05 16:23:00 EDT
Created attachment 1070529 [details]
sealert log
Comment 3 Lukas Vrabec 2015-09-06 14:29:20 EDT
*** Bug 1260303 has been marked as a duplicate of this bug. ***
Comment 4 Milos Malik 2015-09-07 04:33:26 EDT
# sesearch -s httpd_t -t httpd_sys_content_t -c file -p execute -A -C
Found 1 semantic av rules:
DT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]
#

Which of following booleans are enabled on your machine?
 * httpd_enable_cgi
 * httpd_unified
 * httpd_builtin_scripting
Comment 5 Sachi 2015-09-07 15:11:32 EDT
$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
$ getsebool httpd_unified
httpd_unified --> off
$ getsebool httpd_builtin_scripting
httpd_builtin_scripting --> on

it says sesearch - command not found!
Comment 6 Sachi 2015-09-07 15:15:51 EDT
nvm, didn't know I had to install setools-console.

# sesearch -s httpd_t -t httpd_sys_content_t -c file -p execute -A -C
Found 1 semantic av rules:
DT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]
Comment 7 Sachi 2015-09-07 15:26:00 EDT
Alright, setting the boolean

httpd_unified --> on

works. So that is the solution? (Sorry when I posted this on stackof I was said to file a bug report!)
Comment 8 Milos Malik 2015-09-08 02:45:52 EDT
Yes, the enabling of httpd_unified boolean is the solution, but I must admit that the boolean documentation needs some improvements. I don't understand the purpose of the boolean either :-)

# man httpd_selinux | col -b | grep -C 2 unified

       If you want to unify HTTPD handling of all content files, you must turn
       on the httpd_unified boolean. Disabled by default.

       setsebool -P httpd_unified 1
#
Comment 9 Miroslav Grepl 2015-09-08 14:24:17 EDT
Where is statusjson.cgi located? You could also change a labeling for it.

httpd_unified boolean is powerfull.
Comment 10 Sachi 2015-09-08 15:49:10 EDT
Yes, I had changed the context on those files to "httpd_sys_script_exec_t", and it worked. What should be the best solution?
Comment 11 Miroslav Grepl 2015-09-10 11:15:18 EDT
(In reply to Sachi from comment #10)
> Yes, I had changed the context on those files to "httpd_sys_script_exec_t",
> and it worked. What should be the best solution?

Yes, this is a better solution. We could also think about a new policy but if it works correct, it is fine to have httpd_sys_script_exec_t labeling.
Comment 12 Sachi 2015-09-10 20:14:09 EDT
Ok, that's kool. Thx.
Comment 14 Mike McCune 2016-03-28 18:59:28 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 18 errata-xmlrpc 2016-11-03 22:21:54 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html

Note You need to log in before you can comment on or make changes to this bug.