Bug 150880 - apache not able to run cgi programs
apache not able to run cgi programs
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-03-11 11:37 EST by Aleksandar Milivojevic
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-03-11 14:28:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleksandar Milivojevic 2005-03-11 11:37:15 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050301 Firefox/1.0.1 Red Hat/1.0.1-1.4.3.centos4.1

Description of problem:
I have system with /var on separate partition (LVM volume), mounted with nosuid flag.

Attempt to run scripts in /var/www/cgi-bin results in:

kernel: audit(1110558179.124:0): avc:  denied  { execute_no_trans } for  pid=8942 exe=/usr/sbin/httpd path=/var/www/cgi-bin/myprogram.cgi dev=dm-2 ino=432261 scontext=user_u:system_r:httpd_t tcontext=root:object_r:httpd_sys_script_exec_t tclass=file

I've checked value of httpd_enable_cgi boolean, ant it is set to true.

# getsebool httpd_enable_cgi
httpd_enable_cgi --> active
# grep httpd_enable_cgi /etc/selinux/targeted/booleans
httpd_enable_cgi=1

File security context is also correct on both the program file and cgi-bin directory:

# ls -Za /var/www/cgi-bin
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_script_exec_t .
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
-rwxr-xr-x  root     root     root:object_r:httpd_sys_script_exec_t myprogram.cgi

I'm kind of out of ideas what else to do/check.  I've attempted installing selinux-policy-targeted-1.17.30-2.86, but got the same behaviour.

BTW, this is on RHEL4 clone, however the SRPM package was the same, so the problem should exist on "real" RHEL4 too.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Always

Steps to Reproduce:
1. Attempt to run CGI programs in /var/www/cgi-bin


Additional info:
Comment 1 Colin Walters 2005-03-11 12:49:06 EST
The nosuid flag prevents domain transitions from occuring.  I'm not sure there
exist any good fixes besides removing the nosuid flag or disabling enforcement
for Apache.  You might be able to change the script type to bin_t, but then the
script will run as httpd_t.
Comment 2 Aleksandar Milivojevic 2005-03-11 14:28:19 EST
Thanks Colin.  I've been attempting to solve this for couple of days.
 Mounting partition with suid flag (default) solved the problem.

BTW, it might be good idea to include this piece of information in
http://fedora.redhat.com/docs/selinux-apache-fc3/ (and related RHEL)
documentation.

Note You need to log in before you can comment on or make changes to this bug.