Bug 168772 - apache failed to get default context
apache failed to get default context
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: James Antill
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-20 05:36 EDT by p thompson
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-21 22:14:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description p thompson 2005-09-20 05:36:18 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050909 Fedora/1.0.6-1.2.fc4 Firefox/1.0.6

Description of problem:
Apache runs a bash script with sudo

#!/usr/bin/perl -w
use CGI::Carp qw(fatalsToBrowser);
my @a=`sudo /var/www/internet/scripts/nointernet 0`;
@a=<DATA>;
print("@a");
exit;
__END__

<HTML>
<META HTTP-EQUIV="EXPIRES" CONTENT="Sat, 01 Jan 2000 00:00:00 GMT">
<META HTTP-EQUIV="Refresh" CONTENT="0; URL=http://192.168.0.1/internet/">
</HTML>

SE Linux and sudoers have been modified to allow this.
User clicks on form which executes cgi script which fails with no error in /var/log/secure:

Sep 20 04:20:20 monotheletisia sudo:   apache : TTY=unknown ; PWD=/var/www/internet/scripts ; USER=root ; COMMAND=/var/www/internet/scripts/nointernet 0

No errors appear in /var/log/audit/audit.log (completely unrelated cron audit entry below, no apache entries)

type=USER_END msg=audit(1127208601.749:7361): user pid=6730 uid=0 auid=0 msg='PAM session close: user=root exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron result=Success)'

Below appears in /etc/httpd/logs/error_log

[Tue Sep 20 04:26:08 2005] [error] [client 192.168.0.1] failed to get default context, referer: http://192.168.0.1/internet/


This is the contents of sudoers

apache  ALL = NOPASSWD: /var/www/internet/scripts/nointernet

This is the context of the /var/www/internet/scripts directory
-rwxrwxr-x  apache   apache   root:object_r:httpd_sys_script_exec_t internet.pl
-rwxr-xr-x  apache   apache   root:object_r:httpd_sys_script_exec_t nointernet
-rwxr-xr-x  apache   apache   root:object_r:httpd_sys_script_exec_t nointernet.pl
-rwxr-xr-x  apache   apache   root:object_r:httpd_sys_script_exec_t oninternet.pl

Previously worked under FC3.

httpd-2.0.54-10.2
sudo-1.6.8p8-2.2
pam-0.79-9.52.2


Version-Release number of selected component (if applicable):
httpd-2.0.54-10.2

How reproducible:
Always

Steps to Reproduce:
1. apache executes script
2.
3.
  

Expected Results:  sudo allows apache user to execute /var/www/internet/scripts/nointernet
as root which consists of 
#!/bin/bash
echo $1 > /proc/sys/net/ipv4/ip_forward


Additional info:

Is this an apache error or a selinux error?  No errors in audit.log = confusing
Comment 1 p thompson 2005-09-20 05:38:49 EDT
httpd.conf contains
ScriptAlias /scripts/ "/var/www/internet/scripts/"

Alias /internet "/var/www/internet/"

<Directory /var/www/internet/>
    DirectoryIndex index.shtml
    Options Indexes FollowSymLinks Includes ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthType Basic
    AuthName "internet"
    AuthUserFile /etc/httpd/conf/passwd
    require user userx
    require user usery
</Directory>
Comment 2 Joe Orton 2005-09-20 05:56:24 EDT
The error is coming from sudo; perhaps this is deliberate due to the SELinux
policy, I'm not sure.
Comment 3 Karel Zak 2005-09-20 06:24:20 EDT
Please, try call "sudo /var/www/internet/scripts/nointernet 0" manually under
same user as your apache and without SELinux (kernel boot option selinux=0). 

It really seems like SELinux problem -- sudo always writes something to logs.
Comment 4 Daniel Walsh 2005-09-20 08:50:39 EDT
Are you seeing any avc messages?

Dan
Comment 5 Daniel Walsh 2005-09-20 08:51:55 EDT
You might also want to run this script as httpd_unconfined_script_t
Comment 6 p thompson 2005-09-20 09:14:17 EDT
1) script works after booting with selinux=0 

2) Not sure how to run as apache user:
"su - apache
This account is currently not available."

3) avc messages = contents of /var/log/audit/audit.log?
failure of the script does not make anything new appear there

4) re:httpd_unconfined_script_t I must be doing something wrong

chcon root:object_r:httpd_unconfined_script_t *
chcon: failed to change context of internet.pl to
root:object_r:httpd_unconfined_script_t: Permission denied
chcon: failed to change context of nointernet to
root:object_r:httpd_unconfined_script_t: Permission denied
chcon: failed to change context of nointernet.pl to
root:object_r:httpd_unconfined_script_t: Permission denied
chcon: failed to change context of oninternet.pl to
root:object_r:httpd_unconfined_script_t: Permission denied

speaking of avc messages:

type=AVC msg=audit(1127221942.099:308): avc:  denied  { relabelto } for 
pid=4030 comm="chcon" name="oninternet.pl" dev=sdg2 ino=179597
scontext=root:system_r:unconfined_t
tcontext=root:object_r:httpd_unconfined_script_t tclass=file


Comment 7 p thompson 2005-09-20 09:57:21 EDT
re 2):
perl -e '$uid = `id -u apache`; $gid = `id -g apache`;' -e '$( = $) = "$gid
$gid"; $> = $< = $uid; exec "sudo /var/www/internet/scripts/nointernet 1";'

script works as apache
Comment 8 Daniel Walsh 2005-09-20 11:18:51 EDT
httpd_unconfined_script_t should be
httpd_unconfined_script_exec_t

Sorry about that.
Comment 9 p thompson 2005-09-20 11:54:55 EDT
OK, changed the files accordingly, now I get 

type=CRED_ACQ msg=audit(1127231295.419:615): user pid=7296 uid=0 auid=4294967295
msg='PAM setcred: user=root exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=?
result=Success)'
type=USER_START msg=audit(1127231295.420:616): user pid=7296 uid=0
auid=4294967295 msg='PAM session open: user=root exe="/usr/bin/sudo"
(hostname=?, addr=?, terminal=? result=Success)'
type=USER_END msg=audit(1127231295.421:617): user pid=7296 uid=0 auid=4294967295
msg='PAM session close: user=root exe="/usr/bin/sudo" (hostname=?, addr=?,
terminal=? result=Success)'
type=AVC msg=audit(1127231295.423:618): avc:  denied  { transition } for 
pid=7296 comm="sudo" name="sesh" dev=md0 ino=374213
scontext=system_u:system_r:httpd_unconfined_script_t
tcontext=root:system_r:unconfined_t tclass=process
type=SYSCALL msg=audit(1127231295.423:618): arch=40000003 syscall=11 success=no
exit=-13 a0=883a850 a1=88392e0 a2=88390a8 a3=69b840 items=1 pid=7296
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="sudo" exe="/usr/bin/sudo"
type=AVC_PATH msg=audit(1127231295.423:618):  path="/usr/sbin/sesh"
type=PATH msg=audit(1127231295.423:618): item=0 name="/usr/sbin/sesh" flags=101
 inode=374213 dev=09:00 mode=0100755 ouid=0 ogid=0 rdev=00:00

adding 
allow httpd_unconfined_script_t unconfined_t:process transition;
into 
domains/misc/local.te;make reload
does not fix anything
Comment 10 Daniel Walsh 2005-09-20 14:19:38 EDT
How about adding 

typeattribute httpd_unconfined_script_t privuser;

Comment 11 p thompson 2005-09-20 15:08:51 EDT
I'm guessing this goes in policy.conf, I added it about here:

# unconfined domain for apache scripts.  Only to be used as a last resort
#
type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
type httpd_unconfined_script_t, domain, nscd_client_domain;
role system_r types httpd_unconfined_script_t;

#line 329

#line 329
typeattribute httpd_unconfined_script_t unrestricted;
typeattribute httpd_unconfined_script_t privuser;

Now everything works. What does that mean?  Was there a bug?
What is the implication of "only to be used as a last resort"...?
Comment 12 Daniel Walsh 2005-09-20 15:43:54 EDT
Yes this is a bug in policy.   I will be adding it in the next update.  

Did you remove the other line? Can you and see if it still works. 

Basically running a script asa httpd_unconfined_script_exec_t means you want all
of apache protected except for this script.  This is better than turning off all
of SELinux apache protection or selinux altogether.  But now if a hacker breaks
into you apache web site.   He will be able to run this script with the same
privs as if he broke in without selinux.

Dan
Comment 13 p thompson 2005-09-21 17:33:22 EDT
Thanks for the help, I will watch for the update.
I would then remove the items from the policy.conf?
Comment 14 Daniel Walsh 2005-09-27 15:43:59 EDT
Fixed in selinux-policy-targeted-1.27.1-2.3
Comment 15 p thompson 2005-09-27 20:48:17 EDT
I installed this from updates-testing and it works.
Is my fix running the script with  httpd_unconfined_script_t or is there a way
to lock it down further that this update allows?
Comment 16 Bill Nottingham 2006-09-21 22:14:31 EDT
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.

Note You need to log in before you can comment on or make changes to this bug.