Red Hat Bugzilla – Bug 140403
Cannot use exec() with php and selinux
Last modified: 2007-11-30 17:10:55 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041111 Firefox/1.0 Description of problem: I have selinux-policy-targeted-1.17.30-2.33 and libselinux-1.19.1-3 installed. I have a small page with just the following code in it : <?php exec('ls'); ?> When I launch the page, it says in my dmesg : Nov 22 14:31:17 portable kernel: audit(1101151877.305:0): avc: denied { getattr } for pid=15954 exe=/bin/bash path=/bin/ls dev=hda2 ino=2355983 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:ls_exec_t tclass=file In another script, I use the htmldoc program and this give in my dmesg : Nov 22 14:39:16 portable kernel: audit(1101152356.400:0): avc: denied { read write } for pid=16067 exe=/bin/bash path=socket:[41977] dev=sockfs ino=41977 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_t tclass=unix_stream_socket Nov 22 14:39:16 portable kernel: audit(1101152356.593:0): avc: denied { search } for pid=16068 exe=/usr/bin/htmldoc scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Nov 22 14:39:16 portable kernel: audit(1101152356.593:0): avc: denied { search } for pid=16068 exe=/usr/bin/htmldoc name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Nov 22 14:39:16 portable kernel: audit(1101152356.967:0): avc: denied { write } for pid=16068 exe=/usr/bin/htmldoc name=tmp dev=hda3 ino=50222 scontext=root:system_r:httpd_sys_script_t tcontext=user_u:object_r:httpd_sys_content_t tclass=dir How can I use exec with PHP? Many of my script use custom bash script to do some tasks. PS : I have the lastest version of selinux-policy-targeted that I find at ftp://people.redhat.com/dwalsh/SELinux/FC3/ Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.33 How reproducible: Always Steps to Reproduce: 1. Use exec() in a php script 2. Launch the script 3. See the error Actual Results: The script don't work Expected Results: The script work using the exec command Additional info:
FIxed in selinux-policy-targeted-1.17.30-2.34 or selinux-policy-targeted-1.19.4-3
Ok, I have installed selinux-policy-targeted-1.17.30-2.34 and selinux-policy-targeted-sources-1.17.30-2.34.noarch.rpm with rpm -Uvh It say : warning: /etc/selinux/targeted/policy/policy.18 created as /etc/selinux/targeted/policy/policy.18.rpmnew What can I do. It does not seems to reload the policy... Do I need to rename policy.18.rpmnew to policy.18 ?
selinux-policy-targeted-sources should have reloaded the policy. You can do a make -C /etc/selinux/targeted/src/policy load to make sure.
Ok, it is reloaded but it did not solve my problem, here is what is say in my logs : Nov 23 19:16:20 portable kernel: audit(1101255380.789:0): avc: denied { read write } for pid=3822 exe=/bin/bash path=socket:[10728] dev=sockfs ino=10728 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_t tclass=unix_stream_socket Nov 23 19:16:20 portable kernel: audit(1101255380.951:0): avc: denied { search } for pid=3823 exe=/usr/bin/htmldoc scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_kernel_t tclass=dir Nov 23 19:16:20 portable kernel: audit(1101255380.952:0): avc: denied { search } for pid=3823 exe=/usr/bin/htmldoc name=sys dev=proc ino=-268435431 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:sysctl_t tclass=dir Nov 23 19:16:21 portable kernel: audit(1101255381.310:0): avc: denied { write } for pid=3823 exe=/usr/bin/htmldoc name=tmp dev=hda3 ino=50222 scontext=root:system_r:httpd_sys_script_t tcontext=user_u:object_r:httpd_sys_content_t tclass=dir It work fine without enforcing SELinux. And with the new .34 policy, in say this before starting mysqld : Nov 23 19:15:48 portable httpd: httpd startup succeeded Nov 23 19:15:49 portable kernel: audit(1101255349.283:0): avc: denied { append } for pid=3757 exe=/usr/libexec/mysqld path=/var/log/mysqld.log dev=hda2 ino=1032864 scontext=root:system_r:mysqld_t tcontext=user_u:object_r:var_log_t tclass=file Nov 23 19:15:49 portable kernel: audit(1101255349.283:0): avc: denied { append } for pid=3757 exe=/usr/libexec/mysqld path=/var/log/mysqld.log dev=hda2 ino=1032864 scontext=root:system_r:mysqld_t tcontext=user_u:object_r:var_log_t tclass=file Nov 23 19:15:50 portable mysqld: Starting MySQL: succeeded
With the new .39 package, this bug continue to be here with the same error log.
restorecon /var/log/mysqld.log should fix the var_log_t problem, I wonder why it is labeled incorrectly. Are you seeing other problems with the htmldoc stuff? Dan
Ok, it fix the mysql error at startup, thanks. For the htmldoc problem, here is what I have now : Dec 2 15:14:17 portable kernel: audit(1102018457.009:0): avc: denied { read write } for pid=12810 exe=/bin/bash path=socket:[30566] dev=sockfs ino=30566 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_t tclass=unix_stream_socket Dec 2 15:14:17 portable kernel: audit(1102018457.502:0): avc: denied { write } for pid=12811 exe=/usr/bin/htmldoc name=tmp dev=hda3 ino=50222 scontext=root:system_r:httpd_sys_script_t tcontext=user_u:object_r:httpd_sys_content_t tclass=dir Here is what I have for a simple php exec('ls') : Dec 2 15:14:53 portable kernel: audit(1102018493.590:0): avc: denied { getattr } for pid=12819 exe=/bin/bash path=/bin/ls dev=hda2 ino=2355882 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:ls_exec_t tclass=file Thanks a lot for your time and help
With the .42 release : The simple exec('ls') : Dec 6 09:18:48 portable kernel: audit(1102342728.088:0): avc: denied { search } for pid=4713 exe=/bin/ls name=selinux dev=hda2 ino=2665775 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:selinux_config_t tclass=dir Dec 6 09:18:48 portable kernel: audit(1102342728.088:0): avc: denied { read } for pid=4713 exe=/bin/ls name=mounts dev=proc ino=308871184 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=file Dec 6 09:18:48 portable kernel: audit(1102342728.090:0): avc: denied { read } for pid=4713 exe=/bin/ls name=current dev=proc ino=308871187 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=file And the same problem seems to block sending mail with sendmail : Dec 6 09:19:54 portable kernel: audit(1102342794.379:0): avc: denied { search } for pid=4728 exe=/usr/sbin/sendmail.sendmail name=spool dev=hda2 ino=1030213 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir Dec 6 09:19:54 portable kernel: audit(1102342794.380:0): avc: denied { create } for pid=4728 exe=/usr/sbin/sendmail.sendmail scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket
Using selinux-policy-targeted-1.17.30-2.35, confirmed: For script: <?php exec('ls /var/www/html'); ?> Dec 6 23:09:48 blane kernel: audit(1102374588.629:0): avc: denied { getattr } for pid=1153 exe=/bin/bash path=/bin/ls dev=hda2 ino=2807196 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:ls_exec_t tclass=file using: <?php exec('/bin/ls /var/www/html'); ?> instead gets: Dec 6 23:10:11 blane kernel: audit(1102374611.533:0): avc: denied { execute } for pid=1173 exe=/bin/bash name=ls dev=hda2 ino=2807196 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:ls_exec_t tclass=file Dec 6 23:10:11 blane kernel: audit(1102374611.533:0): avc: denied { getattr } for pid=1173 exe=/bin/bash path=/bin/ls dev=hda2 ino=2807196 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:ls_exec_t tclass=file
Should be fixed in selinux-policy-targeted-1.17.30-2.42
Like I said before on my 2004-12-06 09:20 message, I have the same problem with the .42 release. It did not solve the problem, have you modified the .42 since it was released?
Ok, I installed the .44 packages and experience the same problem as before.
With the stable .51 release, I have the same problem
Please be more specific. Are you saying that you still can not run the ls command from within php <?php exec('ls /var/www/html'); ?> Or some other command? Dan
Excuse for not giving more detail. Here is what I have when I run the <?php exec('ls /var/www/html');?> Dec 21 15:50:06 portable kernel: audit(1103662206.539:0): avc: denied { search } for pid=10805 exe=/bin/ls name=selinux dev=hda2 ino=2665775 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:selinux_config_t tclass=dir Dec 21 15:50:06 portable kernel: audit(1103662206.539:0): avc: denied { read } for pid=10805 exe=/bin/ls name=mounts dev=proc ino=708116496 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=file Dec 21 15:50:06 portable kernel: audit(1103662206.540:0): avc: denied { read } for pid=10805 exe=/bin/ls name=current dev=proc ino=708116499 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=file
Ok try selinux-policy-targeted-1_17_30-2_58 This was added to the upstream version but not the Fedora version. Should be available tomorrow or grab it off of ftp://people.redhat.com/dwalsh/SELinux/FC3
It work fine with the exec('ls') but don't work with sendmail with the command : mail($email, $subject, $body, $headers); Dec 22 09:45:07 portable kernel: audit(1103726707.289:0): avc: denied { search } for pid=10301 exe=/usr/sbin/sendmail.sendmail name=spool dev=hda2 ino=1030213 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:var_spool_t tclass=dir Dec 22 09:45:07 portable kernel: audit(1103726707.290:0): avc: denied { create } for pid=10301 exe=/usr/sbin/sendmail.sendmail scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=unix_dgram_socket Thanks
What is the labeling on exe=/usr/sbin/sendmail.sendmail ls -lZ /usr/sbin/sendmail.sendmail
It's : -rwxr-sr-x root smmsp system_u:object_r:sbin_t /usr/sbin/sendmail.sendmail
Try restorecon -v /usr/sbin/sendmail.sendmail If it changes it's context then try the apache again.
Ok, I try the command and it set the context like this : -rwxr-sr-x root smmsp system_u:object_r:sendmail_exec_t /usr/sbin/sendmail.sendmail And now, here is what it say in my log (I have restart apache and sendmail) : Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc: denied { append } for pid=13640 exe=/usr/sbin/sendmail.sendmail path=/var/log/httpd/error_log dev=hda2 ino=1032260 scontext=root:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc: denied { append } for pid=13640 exe=/usr/sbin/sendmail.sendmail path=/var/log/httpd/error_log dev=hda2 ino=1032260 scontext=root:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc: denied { append } for pid=13640 exe=/usr/sbin/sendmail.sendmail path=/var/log/httpd/ssl_error_log dev=hda2 ino=1032257 scontext=root:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc: denied { append } for pid=13640 exe=/usr/sbin/sendmail.sendmail path=/var/log/httpd/access_log dev=hda2 ino=1032359 scontext=root:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc: denied { append } for pid=13640 exe=/usr/sbin/sendmail.sendmail path=/var/log/httpd/ssl_access_log dev=hda2 ino=1032261 scontext=root:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Dec 22 11:16:07 portable kernel: audit(1103732167.252:0): avc: denied { append } for pid=13640 exe=/usr/sbin/sendmail.sendmail path=/var/log/httpd/ssl_request_log dev=hda2 ino=1032284 scontext=root:system_r:system_mail_t tcontext=root:object_r:httpd_runtime_t tclass=file Dec 22 11:16:07 portable kernel: audit(1103732167.294:0): avc: denied { write } for pid=13640 exe=/usr/sbin/sendmail.sendmail name=clientmqueue dev=hda2 ino=1030297 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir Dec 22 11:16:07 portable kernel: audit(1103732167.297:0): avc: denied { write } for pid=13640 exe=/usr/sbin/sendmail.sendmail name=clientmqueue dev=hda2 ino=1030297 scontext=root:system_r:system_mail_t tcontext=system_u:object_r:var_spool_t tclass=dir
restorecon -R -v /var/spool /var/log Should fix those.
Thanks a lot, everything work now. SELinux can be enforce all the time now! Just a question, why do I have always problem with wrong context and must always do the restorecon stuff? I never change the context of /var/spool
The problem is that on fresh install RPM set's the file context of files to match the file_context in the current policy file. We have had to add some policy files with new contexts since the original FC3 policy, So the only way to get the contexts correct on disk is to relabel. So doing a complete relabel would fix this problem, but it is often easier to relabel the effected parts of the system. Hopefully we will eventually get the policy to settle down and we will not be updating as much as we are now. Thanks for your patience. Dan
Thanks for the explanation, it help me understand how it work better. For the moment, I have no other SELinux problem.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-251.html