Bug 136357 - with selinux, cgi scripts are failing due to not being able to execute csh/tcsh
with selinux, cgi scripts are failing due to not being able to execute csh/tcsh
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-19 10:25 EDT by Thomas J. Baker
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-11 17:51:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Thomas J. Baker 2004-10-19 10:25:29 EDT
Description of problem:
I'm slowly plowing through some old web pages, trying to get them to
run with selinux enabled. I've changed secutiry contexts such that the
static web pages work. I've got some csh CGI scripts that seem to be
failing due to not being able execute csh or tcsh:

audit(1098195572.974:0): avc:  denied  { read } for  pid=6050
exe=/usr/sbin/httpd name=csh dev=sda1 ino=376901
scontext=root:system_r:httpd_t tcontext=system_u:object_r:bin_t
tclass=lnk_file
audit(1098195679.621:0): avc:  denied  { execute } for  pid=6116
exe=/usr/sbin/httpd name=tcsh dev=sda1 ino=376872
scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
tclass=file

I've got all the scripts marked as
system_u:object_r:httpd_user_script_exec_t and the CGI directory too:

[root@wintermute cgi-bin]# ls -ldZ .
drwxrwxr-x  tjb      4490     system_u:object_r:httpd_user_script_exec_t .
[root@wintermute cgi-bin]#

Is there any documentation that targets the FC3 targeted policy and
potential problems? I've looked at the old FC2 SELinux FAQ but it's
more of an overview. I believe I understand the basic concepts.
Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.17.31-1

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2004-10-19 10:39:09 EDT
This looks like a labeling problem.  Why is tcsh labeled file_t?
Did you upgrade to this version without relabeling?

You can automatically relabel by doing 
touch /.autorelable 
and rebooting.

Dan
Comment 2 Daniel Walsh 2004-10-19 10:44:14 EDT
Make that 
touch /.autorelabel
Comment 3 Thomas J. Baker 2004-10-19 10:47:40 EDT
I'm not completely sure I understand the question. I'm updating from
rawhide everyday. Should I relabel after every update?

In this case, can I just restorecon it or is there some reason not to
do that?
Comment 4 Daniel Walsh 2004-10-19 10:51:08 EDT
You probably could do a restorecon, but a file labeled file_t should
not exists.  Also it seems that your named is not running correctly. 
Seems like a very strange bug.

You do not need to relabel if the initial label took.  Not sure what
is going on.    You could try restorecon -R -v /usr/bin

Dan
Comment 5 Thomas J. Baker 2004-10-19 14:09:44 EDT
One thing that wasn't abundantly clear is that doing the autorelabel
thing relabels the who system and not just the disk partition the
.autorelabel file was put on. I rebooted and now all my contexts for
all my own partitions are reset. Where is the right place to put my
own file contexts that won't be overwritten when the policy is updated?
Comment 6 Thomas J. Baker 2004-10-19 14:16:21 EDT
Seems like I might have a real policy bug here. After the relabel,
/usr/sbin/rotatelogs is this:

[root@wintermute tjb]# ls -lZ /usr/sbin/rotatelogs
-rwxr-xr-x  root     root     system_u:object_r:sbin_t        
/usr/sbin/rotatelogs [root@wintermute tjb]#

That causes this error with starting httpd:

audit(1098209728.767:0): avc:  denied  { read execute } for  pid=6329
exe=/usr/sbin/httpd name=rotatelogs dev=sda1 ino=196697
scontext=root:system_r:httpd_t tcontext=system_u:object_r:sbin_t
tclass=file

Should it not be system_u:object_r:httpd_exec_t?
Comment 7 Thomas J. Baker 2004-10-19 14:28:58 EDT
Back to the CGI problem. After the relabel, I now get this error:

audit(1098210479.628:0): avc:  denied  { getattr } for  pid=7047
exe=/bin/tcsh path=/var/run/utmp dev=sda1 ino=98358
scontext=root:system_r:httpd_sys_script_t
tcontext=user_u:object_r:var_run_t tclass=file
audit(1098210479.631:0): avc:  denied  { execute_no_trans } for 
pid=7048 exe=/bin/tcsh path=/web/wintermute/cgi-bin/statistics
dev=sda2 ino=81340 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file

The script in question is set to
system_u:object_r:httpd_user_script_exec_t. Also, I just realized that
you said my named is not running right? I guess you must have meant httpd?
Comment 8 Daniel Walsh 2004-10-19 15:40:33 EDT
Sorry about that.  The only place to put your own content now is at
the end of the file_contexts file. 
/etc/selinux/TYPE/content/file/file_context

We are working on a way to make user modified file context permanent.

IE running chcon on a file will survive a relabel.

Did that fix your problem?
BTW did you reboot with selinux=0 at some point?
Dan
Comment 9 Daniel Walsh 2004-10-19 15:49:10 EDT
Yes you have found a real bug.  Rotatelogs should be sbin_t but policy
needs to be changed to add
can_exec(httpd_t, sbin_t)

audit(1098210479.628:0): avc:  denied  { getattr } for  pid=7047
exe=/bin/tcsh path=/var/run/utmp dev=sda1 ino=98358
scontext=root:system_r:httpd_sys_script_t
tcontext=user_u:object_r:var_run_t tclass=file

It this script trying to do something with utmp?

audit(1098210479.631:0): avc:  denied  { execute_no_trans } for 
pid=7048 exe=/bin/tcsh path=/web/wintermute/cgi-bin/statistics
dev=sda2 ino=81340 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_sys_script_exec_t tclass=file

/web/wintermute/cgi-bin/statistics should be httpd_sys_script_t

Dan
Comment 10 Colin Walters 2004-10-19 15:59:36 EDT
Eh?  I think the file is already labeled httpd_sys_script_exec_t,
which is right.  I think the problem here is that the policy isn't
allowing one CGI script to execute another.  We probably just need:

allow httpd_sys_script_t httpd_sys_script_exec_t:file {
execute_no_trans };
Comment 11 Thomas J. Baker 2004-10-19 16:28:26 EDT
The script is definitely calling another cgi-script in the same
directory. I believe it does try to lock a file which might use utmp.
Which is the correct context for scripts? I had it set to
httpd_user_script_exec_t.
Comment 12 Daniel Walsh 2004-10-19 16:40:11 EDT
Yes I misread the avc, we need to add  
can_exec(httpd_sys_script_exec_t, httpd_sys_script_t)
to policy.
Comment 13 Daniel Walsh 2004-10-20 10:33:29 EDT
Fixed in selinux-policy-targeted-1.17.30-2.5

Note You need to log in before you can comment on or make changes to this bug.