150880 – apache not able to run cgi programs

Bug 150880 - apache not able to run cgi programs

Summary: apache not able to run cgi programs

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	4.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-03-11 16:37 UTC by Aleksandar Milivojevic
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-03-11 19:28:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Aleksandar Milivojevic 2005-03-11 16:37:15 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050301 Firefox/1.0.1 Red Hat/1.0.1-1.4.3.centos4.1

Description of problem:
I have system with /var on separate partition (LVM volume), mounted with nosuid flag.

Attempt to run scripts in /var/www/cgi-bin results in:

kernel: audit(1110558179.124:0): avc:  denied  { execute_no_trans } for  pid=8942 exe=/usr/sbin/httpd path=/var/www/cgi-bin/myprogram.cgi dev=dm-2 ino=432261 scontext=user_u:system_r:httpd_t tcontext=root:object_r:httpd_sys_script_exec_t tclass=file

I've checked value of httpd_enable_cgi boolean, ant it is set to true.

# getsebool httpd_enable_cgi
httpd_enable_cgi --> active
# grep httpd_enable_cgi /etc/selinux/targeted/booleans
httpd_enable_cgi=1

File security context is also correct on both the program file and cgi-bin directory:

# ls -Za /var/www/cgi-bin
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_script_exec_t .
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
-rwxr-xr-x  root     root     root:object_r:httpd_sys_script_exec_t myprogram.cgi

I'm kind of out of ideas what else to do/check.  I've attempted installing selinux-policy-targeted-1.17.30-2.86, but got the same behaviour.

BTW, this is on RHEL4 clone, however the SRPM package was the same, so the problem should exist on "real" RHEL4 too.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.52.1

How reproducible:
Always

Steps to Reproduce:
1. Attempt to run CGI programs in /var/www/cgi-bin


Additional info:

Comment 1 Colin Walters 2005-03-11 17:49:06 UTC

The nosuid flag prevents domain transitions from occuring.  I'm not sure there
exist any good fixes besides removing the nosuid flag or disabling enforcement
for Apache.  You might be able to change the script type to bin_t, but then the
script will run as httpd_t.

Comment 2 Aleksandar Milivojevic 2005-03-11 19:28:19 UTC

Thanks Colin.  I've been attempting to solve this for couple of days.
 Mounting partition with suid flag (default) solved the problem.

BTW, it might be good idea to include this piece of information in
http://fedora.redhat.com/docs/selinux-apache-fc3/ (and related RHEL)
documentation.

Note You need to log in before you can comment on or make changes to this bug.