Bug 149454 - w3c-markup-validator not compatible with SELinux targeted policy
w3c-markup-validator not compatible with SELinux targeted policy
Product: Fedora
Classification: Fedora
Component: w3c-markup-validator (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Ville Skyttä
Fedora Extras Quality Assurance
Depends On: 182673
Blocks: FE5Target
  Show dependency treegraph
Reported: 2005-02-23 03:23 EST by Fred New
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-14 16:10:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Fred New 2005-02-23 03:23:08 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
The validator uses a cgi-bin script that gets installed as /usr/share/w3c-markup-validator/check.  The SELinux context for this file doesn't permit httpd to execute it.  Instead the following message appears in /var/log/messages:
Feb 22 15:22:04 nimeta01 kernel: audit(1109078524.780:0): avc:  denied  { execute } for  pid=27962 exe=/usr/sbin/httpd name=check dev=hda3 ino=1827341 scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=file

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install w3c-markup-validator on a FC3 system with selinux-policy-targeted and SELinux in enforcing mode.
2. Restart the httpd service.
3. Try validating a Web page from http://<hostname>/w3c-validator/

Actual Results:  The browser showed some sort of error and the above message appeared in /var/log/messages.

Expected Results:  The browser should show whether the page you tried to validate has errors or not.

Additional info:

I issued the command

chcon /usr/share/w3c-markup-validator/check --reference
  /var/www/cgi-bin/<pre-existing cgi-bin script>

and the validator started working, but I am still seeing the following messages in /var/log/messages (which I assume are caused by this application):

Feb 22 18:17:09 nimeta01 kernel: audit(1109089029.945:0): avc:  denied  { read } for  pid=28147 exe=/usr/bin/perl name=tmp dev=hda3 ino=1596358 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:tmp_t tclass=lnk_file
Comment 1 Ville Skyttä 2005-02-23 16:31:54 EST
I cannot reproduce.  This is on my FC3 box:


-rwxr-xr-x  root     root     system_u:object_r:usr_t          check

# cat /selinux/enforce

Validation works fine, nothing in /var/log/httpd/error_log nor
/var/log/messages.  What am I missing?
Comment 2 Fred New 2005-02-26 14:05:26 EST
I have installed it on a second machine and I am having the same
problem.  The browser shows "Internal Server Error" with a few
suggestions about what to do about it.


[Sat Feb 26 20:01:49 2005] [error] [client] (13)Permission
denied: exec of '/usr/share/w3c-markup-validator/check' failed,
referer: http://darth/w3c-validator/
[Sat Feb 26 20:01:49 2005] [error] [client] Premature end
of script headers: check, referer: http://darth/w3c-validator/


Feb 26 20:01:49 darth kernel: audit(1109440909.250:0): avc:  denied  {
execute } for  pid=4947 exe=/usr/sbin/httpd name=check dev=hda3
ino=701643 scontext=root:system_r:httpd_t
tcontext=system_u:object_r:usr_t tclass=file


SELinux status:         enabled
SELinuxfs mount:        /selinux
Current mode:           enforcing
Mode from config file:  enforcing
Policy version:         18
Policy from config file:targeted

Policy booleans:
allow_ypbind            active
dhcpd_disable_trans     inactive
httpd_disable_trans     inactive
httpd_enable_cgi        active
httpd_enable_homedirs   active
httpd_ssi_exec          active
httpd_tty_comm          inactive
httpd_unified           active
mysqld_disable_trans    inactive
named_disable_trans     inactive
nscd_disable_trans      inactive
ntpd_disable_trans      inactive
portmap_disable_trans   inactive
snmpd_disable_trans     inactive
squid_disable_trans     inactive
syslogd_disable_trans   inactive
winbind_disable_trans   inactive
ypbind_disable_trans    inactive

And finally ls -lZ:

# ls -Zl /usr/share/w3c-markup-validator/check
-rwxr-xr-x  1 system_u:object_r:usr_t          root root 112116 Jul 21
 2004 /usr/share/w3c-markup-validator/check

My selinux-policy, validator and httpd packages match yours.
Comment 3 Ville Skyttä 2005-02-26 14:56:01 EST
I still have no clue about this.  Works fine here.  On the other hand
the behaviour on your boxes makes kind of sense, I wonder why I'm not
seeing it.

The only difference between your and my sestatus output is that you
have httpd_enable_homedirs active, while I've inactivated it.  That
doesn't affect this, but I also verified that to be sure.

Do you have any customizations applied to the targeted config?
rpm -V selinux-policy-targeted
Comment 4 Fred New 2005-02-28 00:42:53 EST
No special customizations to the policy:

[root@darth ~]# rpm -V selinux-policy-targeted
[root@darth ~]#
Comment 5 Fred New 2005-03-01 05:14:15 EST
I re-installed FC3 on my original system yesterday because I messed it
up by trying to update it to Rawhide.  And just now installed
w3c-markup-validator and got the same error.  This time I used
     chcon -t httpd_sys_script_exec_t \
and the script started working.

Some notes about how I re-installed my system (this time):
1. Before installing, I copied the updated RPMs in
/var/cache/yum/updates-released/packages to a partition that I
wouldn't format during the installation.
2. Installing from CDs, I selected a "workstation" installation.
3. I also selected to install httpd.
4. After the installation, I removed older, duplicate RPMs from the
directory created in step 1 and updated all affected packages:
     rpm -ivh kernel-2*.rpm
     rpm -Fvh *.rpm
5. yum update
6. Manually installed the packages required for w3c-markup-validator:

The 3 packages mentioned above are still the same:

I don't understand how your check script can work with a context type
of usr_t.  Maybe one of us should post a question on the
fedora-selinux list.
Comment 6 Ville Skyttä 2005-03-03 13:09:15 EST
I managed to reproduce this.  For a reason unknown to me, my
/usr/sbin/httpd was root:object_r:sbin_t.  No, I didn't set it myself,
and this is a single user box.

Now, the check script obviously needs to be
system_u:object_r:httpd_sys_script_exec_t, and the static web pages
system_u:object_r:httpd_sys_content_t.  Dunno about the config files
etc yet.
Comment 7 Brett Randall 2005-07-05 04:10:35 EDT
I can also reproduce this problem on FC3+Updates with SELinux, unmodified
policies.  Any further advice and/or patches or config files before I attempt a
workaround based on the info above?
Comment 8 Ville Skyttä 2005-07-05 12:43:30 EDT
Help is welcome, but here's a couple of things worth noting: 
I've examined the behaviour somewhat on FC4 (by the way, this package is not 
yet included in FC4+ due to these problems), see: 
Also, we're (the W3C QA tools development team) releasing version 0.7.0 of the 
Validator soon; a beta is expected to be launched this week.  While it's 
pretty much similar to 0.6.7, it's not entirely impossible that their SELinux 
configuration needs might differ a bit.  Examining this is assigned to me both 
here (the FE package) and upstream, and I will try to find time to look at it 
in the future in any case.  But as said, help is welcome, and looking into 
what 0.6.7 would need is definitely useful. 
By the way, there's no way to cleanly install new policy modules currently 
(until FC5 I hear), so chances are that until then, once someone has figured 
out exactly what's needed, we'll just include the needed policy changes as 
documentation in this package. 
Comment 9 Ville Skyttä 2005-07-05 12:46:54 EDT
Oh, and for the record: AFAICT we should most likely be creating an individual 
SELinux domain for the CGI script here.  See 
http://fedora.redhat.com/docs/selinux-apache-fc3/ for more info. 
Comment 10 Ville Skyttä 2006-02-25 16:28:30 EST
FYI, this is finally being worked on in bug 182673, sorry for the delay.
Comment 11 Ville Skyttä 2007-10-14 16:10:23 EDT
Finally got around to verifying that this is indeed done (for the most common
HTTP ports) in current F7 selinux policy packages.

Note You need to log in before you can comment on or make changes to this bug.