This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 140403 - Cannot use exec() with php and selinux
Cannot use exec() with php and selinux
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
3
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-22 14:35 EST by Jean-Francois Saucier
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2005-251
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-22 13:23:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jean-Francois Saucier 2004-11-22 14:35:16 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041111 Firefox/1.0

Description of problem:
I have selinux-policy-targeted-1.17.30-2.33 and libselinux-1.19.1-3
installed.

I have a small page with just the following code in it :

<?php

exec('ls');

?>



When I launch the page, it says in my dmesg :


Nov 22 14:31:17 portable kernel: audit(1101151877.305:0): avc:  denied
 { getattr } for  pid=15954 exe=/bin/bash path=/bin/ls dev=hda2
ino=2355983 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:ls_exec_t tclass=file


In another script, I use the htmldoc program and this give in my dmesg :


Nov 22 14:39:16 portable kernel: audit(1101152356.400:0): avc:  denied
 { read write } for  pid=16067 exe=/bin/bash path=socket:[41977]
dev=sockfs ino=41977 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_t tclass=unix_stream_socket
Nov 22 14:39:16 portable kernel: audit(1101152356.593:0): avc:  denied
 { search } for  pid=16068 exe=/usr/bin/htmldoc
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=dir
Nov 22 14:39:16 portable kernel: audit(1101152356.593:0): avc:  denied
 { search } for  pid=16068 exe=/usr/bin/htmldoc name=sys dev=proc
ino=-268435431 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sysctl_t tclass=dir
Nov 22 14:39:16 portable kernel: audit(1101152356.967:0): avc:  denied
 { write } for  pid=16068 exe=/usr/bin/htmldoc name=tmp dev=hda3
ino=50222 scontext=root:system_r:httpd_sys_script_t
tcontext=user_u:object_r:httpd_sys_content_t tclass=dir



How can I use exec with PHP? Many of my script use custom bash script
to do some tasks.

PS : I have the lastest version of selinux-policy-targeted that I find
at ftp://people.redhat.com/dwalsh/SELinux/FC3/

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.33

How reproducible:
Always

Steps to Reproduce:
1. Use exec() in a php script
2. Launch the script
3. See the error
    

Actual Results:  The script don't work

Expected Results:  The script work using the exec command

Additional info:
Comment 1 Daniel Walsh 2004-11-23 09:58:59 EST
FIxed in selinux-policy-targeted-1.17.30-2.34
or
selinux-policy-targeted-1.19.4-3
Comment 2 Jean-Francois Saucier 2004-11-23 16:34:48 EST
Ok, I have installed selinux-policy-targeted-1.17.30-2.34 and
selinux-policy-targeted-sources-1.17.30-2.34.noarch.rpm with rpm -Uvh

It say : warning: /etc/selinux/targeted/policy/policy.18 created as
/etc/selinux/targeted/policy/policy.18.rpmnew


What can I do. It does not seems to reload the policy... Do I need to
rename policy.18.rpmnew to policy.18 ?
Comment 3 Daniel Walsh 2004-11-23 16:50:44 EST
selinux-policy-targeted-sources should have reloaded the policy.

You can do a 
make -C /etc/selinux/targeted/src/policy load 

to make sure.
Comment 4 Jean-Francois Saucier 2004-11-23 19:13:31 EST
Ok, it is reloaded but it did not solve my problem, here is what is
say in my logs :

Nov 23 19:16:20 portable kernel: audit(1101255380.789:0): avc:  denied
 { read write } for  pid=3822 exe=/bin/bash path=socket:[10728]
dev=sockfs ino=10728 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_t tclass=unix_stream_socket
Nov 23 19:16:20 portable kernel: audit(1101255380.951:0): avc:  denied
 { search } for  pid=3823 exe=/usr/bin/htmldoc
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sysctl_kernel_t tclass=dir
Nov 23 19:16:20 portable kernel: audit(1101255380.952:0): avc:  denied
 { search } for  pid=3823 exe=/usr/bin/htmldoc name=sys dev=proc
ino=-268435431 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:sysctl_t tclass=dir
Nov 23 19:16:21 portable kernel: audit(1101255381.310:0): avc:  denied
 { write } for  pid=3823 exe=/usr/bin/htmldoc name=tmp dev=hda3
ino=50222 scontext=root:system_r:httpd_sys_script_t
tcontext=user_u:object_r:httpd_sys_content_t tclass=dir


It work fine without enforcing SELinux.


And with the new .34 policy, in say this before starting mysqld :

Nov 23 19:15:48 portable httpd: httpd startup succeeded
Nov 23 19:15:49 portable kernel: audit(1101255349.283:0): avc:  denied
 { append } for  pid=3757 exe=/usr/libexec/mysqld
path=/var/log/mysqld.log dev=hda2 ino=1032864
scontext=root:system_r:mysqld_t tcontext=user_u:object_r:var_log_t
tclass=file
Nov 23 19:15:49 portable kernel: audit(1101255349.283:0): avc:  denied
 { append } for  pid=3757 exe=/usr/libexec/mysqld
path=/var/log/mysqld.log dev=hda2 ino=1032864
scontext=root:system_r:mysqld_t tcontext=user_u:object_r:var_log_t
tclass=file
Nov 23 19:15:50 portable mysqld: Starting MySQL:  succeeded
Comment 5 Jean-Francois Saucier 2004-12-02 14:33:32 EST
With the new .39 package, this bug continue to be here with the same
error log.
Comment 6 Daniel Walsh 2004-12-02 14:39:38 EST
restorecon /var/log/mysqld.log

should fix the var_log_t problem,

I wonder why it is labeled incorrectly.

Are you seeing other problems with the htmldoc stuff?

Dan
Comment 7 Jean-Francois Saucier 2004-12-02 15:17:59 EST
Ok, it fix the mysql error at startup, thanks.



For the htmldoc problem, here is what I have now :


Dec  2 15:14:17 portable kernel: audit(1102018457.009:0): avc:  denied
 { read write } for  pid=12810 exe=/bin/bash path=socket:[30566]
dev=sockfs ino=30566 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_t tclass=unix_stream_socket
Dec  2 15:14:17 portable kernel: audit(1102018457.502:0): avc:  denied
 { write } for  pid=12811 exe=/usr/bin/htmldoc name=tmp dev=hda3
ino=50222 scontext=root:system_r:httpd_sys_script_t
tcontext=user_u:object_r:httpd_sys_content_t tclass=dir





Here is what I have for a simple php exec('ls') :

Dec  2 15:14:53 portable kernel: audit(1102018493.590:0): avc:  denied
 { getattr } for  pid=12819 exe=/bin/bash path=/bin/ls dev=hda2
ino=2355882 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:ls_exec_t tclass=file



Thanks a lot for your time and help
Comment 8 Jean-Francois Saucier 2004-12-06 09:20:00 EST
With the .42 release :


The simple exec('ls') :


Dec  6 09:18:48 portable kernel: audit(1102342728.088:0): avc:  denied
 { search } for  pid=4713 exe=/bin/ls name=selinux dev=hda2
ino=2665775 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Dec  6 09:18:48 portable kernel: audit(1102342728.088:0): avc:  denied
 { read } for  pid=4713 exe=/bin/ls name=mounts dev=proc ino=308871184
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=file
Dec  6 09:18:48 portable kernel: audit(1102342728.090:0): avc:  denied
 { read } for  pid=4713 exe=/bin/ls name=current dev=proc
ino=308871187 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=file







And the same problem seems to block sending mail with sendmail :


Dec  6 09:19:54 portable kernel: audit(1102342794.379:0): avc:  denied
 { search } for  pid=4728 exe=/usr/sbin/sendmail.sendmail name=spool
dev=hda2 ino=1030213 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Dec  6 09:19:54 portable kernel: audit(1102342794.380:0): avc:  denied
 { create } for  pid=4728 exe=/usr/sbin/sendmail.sendmail
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
Comment 9 Joe Orton 2004-12-06 18:12:17 EST
Using selinux-policy-targeted-1.17.30-2.35, confirmed:

For script: <?php exec('ls /var/www/html'); ?>

Dec  6 23:09:48 blane kernel: audit(1102374588.629:0): avc:  denied  {
getattr } for  pid=1153 exe=/bin/bash path=/bin/ls dev=hda2
ino=2807196 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:ls_exec_t tclass=file

using: <?php exec('/bin/ls /var/www/html'); ?> instead gets:

Dec  6 23:10:11 blane kernel: audit(1102374611.533:0): avc:  denied  {
execute } for  pid=1173 exe=/bin/bash name=ls dev=hda2 ino=2807196
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:ls_exec_t tclass=file
Dec  6 23:10:11 blane kernel: audit(1102374611.533:0): avc:  denied  {
getattr } for  pid=1173 exe=/bin/bash path=/bin/ls dev=hda2
ino=2807196 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:ls_exec_t tclass=file
Comment 10 Daniel Walsh 2004-12-08 12:11:11 EST
Should be fixed in selinux-policy-targeted-1.17.30-2.42
Comment 11 Jean-Francois Saucier 2004-12-08 13:02:11 EST
Like I said before on my 2004-12-06 09:20 message, I have the same
problem with the .42 release.

It did not solve the problem, have you modified the .42 since it was
released?
Comment 12 Jean-Francois Saucier 2004-12-10 10:32:22 EST
Ok, I installed the .44 packages and experience the same problem as
before.
Comment 13 Jean-Francois Saucier 2004-12-21 14:51:50 EST
With the stable .51 release, I have the same problem
Comment 14 Daniel Walsh 2004-12-21 15:00:22 EST
Please be more specific.
Are you saying that you still can not run the ls command from within php
<?php exec('ls /var/www/html'); ?>

Or some other command?


Dan
Comment 15 Jean-Francois Saucier 2004-12-21 15:50:23 EST
Excuse for not giving more detail. Here is what I have when I run the
<?php exec('ls /var/www/html');?>


Dec 21 15:50:06 portable kernel: audit(1103662206.539:0): avc:  denied
 { search } for  pid=10805 exe=/bin/ls name=selinux dev=hda2
ino=2665775 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:selinux_config_t tclass=dir
Dec 21 15:50:06 portable kernel: audit(1103662206.539:0): avc:  denied
 { read } for  pid=10805 exe=/bin/ls name=mounts dev=proc
ino=708116496 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=file
Dec 21 15:50:06 portable kernel: audit(1103662206.540:0): avc:  denied
 { read } for  pid=10805 exe=/bin/ls name=current dev=proc
ino=708116499 scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=file
Comment 16 Daniel Walsh 2004-12-21 18:03:21 EST
Ok try selinux-policy-targeted-1_17_30-2_58
This was added to the upstream version but not the Fedora version.

Should be available tomorrow or grab it off of
ftp://people.redhat.com/dwalsh/SELinux/FC3
Comment 17 Jean-Francois Saucier 2004-12-22 09:48:49 EST
It work fine with the exec('ls') but don't work with sendmail with the
command : mail($email, $subject, $body, $headers);


Dec 22 09:45:07 portable kernel: audit(1103726707.289:0): avc:  denied
 { search } for  pid=10301 exe=/usr/sbin/sendmail.sendmail name=spool
dev=hda2 ino=1030213 scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Dec 22 09:45:07 portable kernel: audit(1103726707.290:0): avc:  denied
 { create } for  pid=10301 exe=/usr/sbin/sendmail.sendmail
scontext=root:system_r:httpd_sys_script_t
tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket


Thanks
Comment 18 Daniel Walsh 2004-12-22 10:09:47 EST
What is the labeling on exe=/usr/sbin/sendmail.sendmail

ls -lZ /usr/sbin/sendmail.sendmail
Comment 19 Jean-Francois Saucier 2004-12-22 10:32:04 EST
It's :

-rwxr-sr-x  root     smmsp    system_u:object_r:sbin_t        
/usr/sbin/sendmail.sendmail
Comment 20 Daniel Walsh 2004-12-22 11:11:28 EST
Try 

restorecon -v /usr/sbin/sendmail.sendmail

If it changes it's context then try the apache again.
Comment 21 Jean-Francois Saucier 2004-12-22 11:18:05 EST
Ok, I try the command and it set the context like this :

-rwxr-sr-x  root     smmsp    system_u:object_r:sendmail_exec_t
/usr/sbin/sendmail.sendmail



And now, here is what it say in my log (I have restart apache and
sendmail) :


Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc:  denied
 { append } for  pid=13640 exe=/usr/sbin/sendmail.sendmail
path=/var/log/httpd/error_log dev=hda2 ino=1032260
scontext=root:system_r:system_mail_t
tcontext=root:object_r:httpd_runtime_t tclass=file
Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc:  denied
 { append } for  pid=13640 exe=/usr/sbin/sendmail.sendmail
path=/var/log/httpd/error_log dev=hda2 ino=1032260
scontext=root:system_r:system_mail_t
tcontext=root:object_r:httpd_runtime_t tclass=file
Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc:  denied
 { append } for  pid=13640 exe=/usr/sbin/sendmail.sendmail
path=/var/log/httpd/ssl_error_log dev=hda2 ino=1032257
scontext=root:system_r:system_mail_t
tcontext=root:object_r:httpd_runtime_t tclass=file
Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc:  denied
 { append } for  pid=13640 exe=/usr/sbin/sendmail.sendmail
path=/var/log/httpd/access_log dev=hda2 ino=1032359
scontext=root:system_r:system_mail_t
tcontext=root:object_r:httpd_runtime_t tclass=file
Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc:  denied
 { append } for  pid=13640 exe=/usr/sbin/sendmail.sendmail
path=/var/log/httpd/ssl_access_log dev=hda2 ino=1032261
scontext=root:system_r:system_mail_t
tcontext=root:object_r:httpd_runtime_t tclass=file
Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc:  denied
 { append } for  pid=13640 exe=/usr/sbin/sendmail.sendmail
path=/var/log/httpd/ssl_request_log dev=hda2 ino=1032284
scontext=root:system_r:system_mail_t
tcontext=root:object_r:httpd_runtime_t tclass=file
Dec 22 11:16:07 portable kernel: audit(1103732167.294:0): avc:  denied
 { write } for  pid=13640 exe=/usr/sbin/sendmail.sendmail
name=clientmqueue dev=hda2 ino=1030297
scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Dec 22 11:16:07 portable kernel: audit(1103732167.297:0): avc:  denied
 { write } for  pid=13640 exe=/usr/sbin/sendmail.sendmail
name=clientmqueue dev=hda2 ino=1030297
scontext=root:system_r:system_mail_t
tcontext=system_u:object_r:var_spool_t tclass=dir
Comment 22 Daniel Walsh 2004-12-22 11:24:03 EST
restorecon -R -v /var/spool /var/log

Should fix those.
Comment 23 Jean-Francois Saucier 2004-12-22 11:44:13 EST
Thanks a lot, everything work now. SELinux can be enforce all the time
now!

Just a question, why do I have always problem with wrong context and
must always do the restorecon stuff? I never change the context of
/var/spool
Comment 24 Daniel Walsh 2004-12-22 11:51:32 EST
The problem is that on fresh install RPM set's the file context of
files to match the file_context in the current policy file.  We have
had to add some policy files with new contexts since the original FC3
policy,  So the only way to get the contexts correct on disk is to
relabel.  
So doing a complete relabel would fix this problem, but it is often
easier to relabel the effected parts of the system.

Hopefully we will eventually get the policy to settle down and we will
not be updating as much as we are now.

Thanks for your patience.

Dan
Comment 25 Jean-Francois Saucier 2004-12-22 12:59:50 EST
Thanks for the explanation, it help me understand how it work better.

For the moment, I have no other SELinux problem.
Comment 26 Tim Powers 2005-06-09 09:05:58 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-251.html

Note You need to log in before you can comment on or make changes to this bug.