Bug 178692 - httpd's suexec prevents running cgi scripts
httpd's suexec prevents running cgi scripts
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity low
: ---
: ---
Assigned To: James Antill
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-23 10:53 EST by Peter Bieringer
Modified: 2008-08-01 11:52 EDT (History)
6 users (show)

See Also:
Fixed In Version: RHBA-2007-0171
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-01 11:52:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output from audit.log (3.56 KB, text/plain)
2007-04-05 19:43 EDT, Josef Kubin
no flags Details

  None (edit)
Description Peter Bieringer 2006-01-23 10:53:20 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Description of problem:
After migrating some virtual webservers to RHEL4 with SELinux enabled, some suexec'ed scripts are no longer running.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.17.30-2.123

How reproducible:
Always

Steps to Reproduce:
1. enabled SELinux
2. setup virtual HTTP server and enable suexec for scripts
3. try to browse to website
  

Actual Results:  Not working, triggering following events. Will try to comment the reason:

avc:  denied  { search } for  pid=***** comm="httpd" name="www.bieringer.de" dev=md3 ino=***** scontext=user_u:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=dir

(that's a common problem)


avc:  denied  { execute_no_trans } for  pid=***** comm="suexec" name="footer.cgi" dev=md3 ino=***** scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file
avc:  denied  { execute } for  pid=***** comm="footer.cgi" name="ld.so.cache" dev=md1 ino=***** scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:ld_so_cache_t tclass=file
avc:  denied  { execute } for  pid=***** comm="footer.cgi" name="ld.so.cache" dev=md1 ino=***** scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:ld_so_cache_t tclass=file

-> footer.cgi is a small C program which adds a SSI footer on each website which is interpreted by Apache via output filter

avc:  denied  { ioctl } for  pid=***** comm="ipv6calcweb.cgi" name="ipv6calcweb.cgi" dev=md3 ino=***** scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file
avc:  denied  { read } for  pid=***** comm="ipv6calcweb.cgi" name="loadavg" dev=proc ino=-268435456 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:proc_t tclass=file
avc:  denied  { ioctl } for  pid=***** comm="ipv6calcweb.cgi" name="loadavg" dev=proc ino=-268435456 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:proc_t tclass=file
avc:  denied  { getattr } for  pid=***** comm="ipv6calcweb.cgi" name="loadavg" dev=proc ino=-268435456 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:proc_t tclass=file
avc:  denied  { getattr } for  pid=***** comm="ipv6calcweb.cgi" name="bin" dev=md1 ino=***** scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:bin_t tclass=dir

ipv6webcalc.cgi is including a Perl module which check system load via getting values from /proc/loadavg


avc:  denied  { create } for  pid=***** comm="suexec" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=netlink_route_socket
avc:  denied  { bind } for  pid=***** comm="suexec" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=netlink_route_socket
avc:  denied  { getattr } for  pid=***** comm="suexec" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=netlink_route_socket
avc:  denied  { write } for  pid=***** comm="suexec" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=netlink_route_socket
avc:  denied  { nlmsg_read } for  pid=***** comm="suexec" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=netlink_route_socket
avc:  denied  { read } for  pid=***** comm="suexec" scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=netlink_route_socket

-> reason unknown



Expected Results:  No such messages

Additional info:

Perhaps policy needs to be adjusted or I have to create a local policy.

audit2allow gives me following hints, which I have added now to local.te:

allow httpd_suexec_t bin_t:dir getattr;
allow httpd_suexec_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
allow httpd_suexec_t httpd_sys_content_t:file { execute_no_trans ioctl };
allow httpd_suexec_t ld_so_cache_t:file execute;
allow httpd_suexec_t proc_t:file { getattr ioctl read };
allow httpd_t user_home_t:dir search;

Perhaps one of them are useful to include in main policy (by default or controlled by boolean)
Comment 1 Daniel Walsh 2006-01-30 13:47:28 EST
What is the current booleans set for httpd?

getsebool -a | grep httpd

You might have to label your script to httpd_unconfined_exec_t to get this to
work.  Turning some additional booleans on will eliminate a couple.

Dan
Comment 2 Peter Bieringer 2006-02-06 09:05:30 EST
# getsebool -a | grep httpd
httpd_builtin_scripting --> active
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> inactive
httpd_ssi_exec --> active
httpd_tty_comm --> inactive
httpd_unified --> active

Currently I have following content in local.te:

## sqwebmail
allow httpd_sys_script_t var_t:sock_file write;
allow httpd_sys_script_t unconfined_t:unix_stream_socket connectto;

## 20060123/PB: apache/suexec
allow httpd_suexec_t self:netlink_route_socket { bind create getattr nlmsg_read
read write };
allow httpd_suexec_t httpd_sys_content_t:file execute_no_trans;
allow httpd_suexec_t httpd_t:tcp_socket { read write };
allow httpd_suexec_t ld_so_cache_t:file execute;
allow httpd_t httpd_suexec_t:process signal;

## 20060123/PB: apache/tree in user's home directory
allow httpd_t user_home_t:dir search;

## 20060130/PB: D***/c***.pl
allow httpd_suexec_t httpd_sys_content_t:dir read;
allow httpd_suexec_t httpd_sys_content_t:file { lock write };

## 20060130/PB: wwwa***/m***.cgi
allow httpd_suexec_t httpd_sys_content_t:dir { add_name read write };
allow httpd_suexec_t httpd_sys_content_t:file { append create };

## 20060130/PB: ipv6calcweb.cgi
allow httpd_suexec_t bin_t:dir getattr;
allow httpd_suexec_t self:fifo_file { ioctl read };
allow httpd_suexec_t self:process fork;
allow httpd_suexec_t httpd_sys_content_t:file ioctl;
allow httpd_suexec_t proc_t:file { getattr ioctl read };

## 20060130/PB: ipv6calc
allow httpd_suexec_t bin_t:dir getattr;
allow httpd_suexec_t self:fifo_file { getattr ioctl read write };
allow httpd_suexec_t self:process fork;
allow httpd_suexec_t httpd_sys_content_t:file ioctl;
allow httpd_suexec_t proc_t:file { getattr ioctl read };

# 20060206/PB: c***.cgi
allow httpd_t httpd_sys_content_t:file execute_no_trans;

# 20060206/PB: ww_t***.pl
allow httpd_suexec_t usr_t:lnk_file read;


Any hints which of them I can eliminate by switching toggles or change security
context of CGI?
Comment 3 Russell Coker 2006-04-13 05:15:46 EDT
For access to user home directories you first have to enable the 
httpd_enable_homedirs boolean.  To allow serving files from under the home 
directories you have to change the type of the subdirectory that has the 
webspace (along with all files and directories under it) to 
httpd_user_content_t.  If you are doing bulk virtual hosting of web space (IE 
the user accounts are not used for anything other than web space) then it 
might be appropriate to use the type httpd_user_content_t for everything 
under /home.

For the cgi-bin scripts to run correctly (IE not in httpd_suexec_t domain) you 
need to have the scripts themselves use a type that has the attribute 
httpdcontent.  The relevant types are httpd_sys_content_t, 
httpd_sys_script_ro_t, httpd_sys_script_rw_t, and httpd_sys_script_ra_t.  When 
a script that has one of those types is executed there will be an automatic 
domain transition to httpd_sys_script_t.  If running cgi-bin scripts without 
any restrictions you can use the type httpd_unconfined_script_exec_t.

Please try these things out and let me know if you still need to have any 
entries in local.te.
Comment 4 Peter Bieringer 2006-04-13 07:39:08 EDT
Hmm, let's first focus on the cgi-scripts.

I've checked security context of scripts, they are proper set:

-rwxr-x---  wwwbieri wwwbieri system_u:object_r:httpd_sys_content_t footer.cgi
-rwxr-x---  wwwbieri wwwbieri system_u:object_r:httpd_sys_content_t ipv6calcweb.cgi

Now I disabled the shown rules above (block occurs twice):
## 20060130/PB: ipv6calc
allow httpd_suexec_t bin_t:dir getattr;
allow httpd_suexec_t self:fifo_file { getattr ioctl read write };
allow httpd_suexec_t self:process fork;
allow httpd_suexec_t httpd_sys_content_t:file ioctl;
allow httpd_suexec_t proc_t:file { getattr ioctl read };

Afterwards I got all the messages.

I've changed now httpd_sys_content_t to httpd_sys_script_ro_t, same messages.

Do you have another suggestion for the suexec related entries?

My apache config looks like this:
LoadModule suexec_module modules/mod_suexec.so

Per virtual host:
    SuexecUserGroup cgiuser wwwuser
Comment 5 Russell Coker 2006-04-13 08:16:27 EDT
Thanks for your fast response.  I made a mistake in my previous message, the 
best type to use for the cgi-bin scripts is httpd_sys_script_exec_t.  The 
other types should work if you have httpd_unified enabled (which you 
apparently had enabled).  Did you disable httpd_unified since your previous 
addition to this bug report?

Regardless of the httpd_unified boolean, changing the type to 
httpd_sys_script_exec_t will make it work.
Comment 6 Peter Bieringer 2006-04-13 09:18:11 EDT
I still have problems caused by CGI scripts itself:

E.g.:

comm="script.cgi" name="logfile" dev=md3 ino=163248
scontext=user_u:system_r:httpd_suexec_t
tcontext=user_u:object_r:httpd_sys_content_t tclass=file

Not allowed to write to a file with httpd_sys_contentt

Or: 
denied  { getattr } for  pid=25496 comm="ipv6calc" name="[5121067]" dev=pipefs
ino=5121067 scontext=user_u:system_r:httpd_suexec_t
tcontext=user_u:system_r:httpd_suexec_t tclass=fifo_file

ipv6calcweb.cgi calls binary ipv6calc and parse stdout.

Looks like I have still to design own special rules.

BTW: is this a feature or a bug that restorecon doesn't read
/etc/selinux/targeted/contexts/files/file_context.local?

And also that setfiles segfaults in case of e.g. "*.cgi" is specified in
file_context.local?
Comment 7 Russell Coker 2006-04-16 02:29:22 EDT
A SEGV of setfiles is a bug, please provide more information in a separate bug 
report.

Is httpd_unified still enabled?  Do you have script.cgi labeled as 
httpd_sys_script_exec_t?

The domain httpd_suexec_t is not intended for the actual execution of cgi-bin 
scripts, this is why it has not been granted access to use pipes and perform 
many other operations that cgi-bin scripts may do.
Comment 8 Peter Bieringer 2006-04-16 04:26:00 EDT
# getsebool  -a |grep ^http
httpd_builtin_scripting --> active
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> inactive
httpd_ssi_exec --> active
httpd_tty_comm --> inactive
httpd_unified --> active

# ls -Z /path/to/cgi-bin/ipv6calcweb.cgi
-rwxr-x---  wwwuser wwwgroup system_u:object_r:httpd_sys_script_exec_t
/path/to/cgi-bin/ipv6calcweb.cgi

BTW: make it sense to restrict domain httpd_suexec_t to fewer things that CGI
scripts may do? I use suexec feature here to change to a different user than the
webserver primary user (apache). But then, script will for sure need the same SE
Linux permissions like before (if executed by apache user).

So what is the intention to restrict httpd_suexec_t more? Perhaps for the
future, the CGI block can be copied and enabled by a toggle (httpd_suexec_cgi or
something like that).
Comment 9 Daniel Walsh 2006-04-19 06:56:24 EDT
There seems to be a problem that httpd_suexec_t is not transitioning to
httpd_sys_script_t when it executes httpd_sys_script_exec_t?  According to
policy this should be happening.  

It is almost like the exec is not happening.

Have you updated to the U3 policy?
Comment 10 Peter Bieringer 2006-04-19 07:02:28 EDT
System is running:

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.126

# rpm -q selinux-policy-targeted-sources
selinux-policy-targeted-sources-1.17.30-2.126
Comment 11 Peter Bieringer 2006-04-27 08:03:55 EDT
Next issue rising up.

I'm using formmail.pl (http://www.scriptarchive.com/formmail.html) and this
causes a lot of messages:

Apr 27 13:56:32 host audit(1146138992.039:713): avc:  denied  { create } for 
pid=6737 comm="sendmail" scontext=user_u:system_r:httpd_suexec_t
tcontext=user_u:system_r:httpd_suexec_t tclass=unix_dgram_socket
Apr 27 13:56:32 host audit(1146138992.040:714): avc:  denied  { connect } for 
pid=6737 comm="sendmail" scontext=user_u:system_r:httpd_suexec_t
tcontext=user_u:system_r:httpd_suexec_t tclass=unix_dgram_socket
Apr 27 13:56:32 host audit(1146138992.060:715): avc:  denied  { search } for 
pid=6737 comm="sendmail" name="spool" dev=md1 ino=464964
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:var_spool_t
tclass=dir
Apr 27 13:56:32 host audit(1146138992.061:716): avc:  denied  { search } for 
pid=6737 comm="sendmail" name="/" dev=md8 ino=2
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t
tclass=dir
Apr 27 13:56:32 host audit(1146138992.061:717): avc:  denied  { setrlimit } for
 pid=6737 comm="sendmail" scontext=user_u:system_r:httpd_suexec_t
tcontext=user_u:system_r:httpd_suexec_t tclass=process
Apr 27 13:56:32 host audit(1146138992.075:718): avc:  denied  { execute } for 
pid=6738 comm="sendmail" name="postdrop" dev=md1 ino=36745
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:sbin_t
tclass=file
Apr 27 13:56:32 host audit(1146138992.076:719): avc:  denied  { execute_no_trans
} for  pid=6738 comm="sendmail" name="postdrop" dev=md1 ino=36745
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:sbin_t
tclass=file
Apr 27 13:56:32 host audit(1146138992.076:720): avc:  denied  { read } for 
pid=6738 comm="sendmail" name="postdrop" dev=md1 ino=36745
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:sbin_t
tclass=file
Apr 27 13:56:32 host audit(1146138992.178:721): avc:  denied  { write } for 
pid=6738 comm="postdrop" name="maildrop" dev=md8 ino=64129
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t
tclass=dir
Apr 27 13:56:32 host audit(1146138992.178:722): avc:  denied  { add_name } for 
pid=6738 comm="postdrop" name="179542.6738"
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t
tclass=dir
Apr 27 13:56:32 host audit(1146138992.178:723): avc:  denied  { create } for 
pid=6738 comm="postdrop" name="179542.6738"
scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t
tclass=file
Apr 27 13:56:32 host audit(1146138992.217:724): avc:  denied  { getattr } for 
pid=6738 comm="postdrop" name="179542.6738" dev=md8 ino=64130
scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t
tclass=file
Apr 27 13:56:32 host audit(1146138992.217:725): avc:  denied  { remove_name }
for  pid=6738 comm="postdrop" name="179542.6738" dev=md8 ino=64130
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t
tclass=dir
Apr 27 13:56:32 host audit(1146138992.217:726): avc:  denied  { rename } for 
pid=6738 comm="postdrop" name="179542.6738" dev=md8 ino=64130
scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t
tclass=file
Apr 27 13:56:32 host audit(1146138992.218:727): avc:  denied  { write } for 
pid=6738 comm="postdrop" name="3550EFA82" dev=md8 ino=64130
scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t
tclass=file
Apr 27 13:56:32 host audit(1146138992.219:728): avc:  denied  { setattr } for 
pid=6738 comm="postdrop" name="3550EFA82" dev=md8 ino=64130
scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:object_r:mail_spool_t
tclass=file
Apr 27 13:56:32 host audit(1146138992.222:729): avc:  denied  { getattr } for 
pid=6738 comm="postdrop" name="pickup" dev=md8 ino=144294
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t
tclass=fifo_file
Apr 27 13:56:32 host audit(1146138992.222:730): avc:  denied  { write } for 
pid=6738 comm="postdrop" name="pickup" dev=md8 ino=144294
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:mail_spool_t
tclass=fifo_file

Resulting in following ruleset:

allow httpd_suexec_t self:process setrlimit;
allow httpd_suexec_t self:unix_dgram_socket { connect create };
allow httpd_suexec_t mail_spool_t:dir { add_name remove_name search write };
allow httpd_suexec_t mail_spool_t:fifo_file { getattr write };
allow httpd_suexec_t mail_spool_t:file { create getattr rename setattr write };
allow httpd_suexec_t sbin_t:file { execute execute_no_trans read };
allow httpd_suexec_t var_spool_t:dir search;

A lot of rules...
Comment 12 James Antill 2006-04-27 11:25:29 EDT
 Ok, I've setup a test using RHEL-4.3 as the following:

# cat /etc/httpd/conf.d/suexec-test.conf

<VirtualHost *:80>
  SuexecUserGroup james james
    DocumentRoot /var/www/
    ServerName laptop.and.org
</VirtualHost>
# ls -la -Z /var/www/cgi-bin/
drwxr-xr-x  james    james    system_u:object_r:httpd_sys_script_exec_t .
drwxr-xr-x  root     root     system_u:object_r:httpd_sys_content_t ..
-rwxr-xr-x  james    james    root:object_r:httpd_sys_script_exec_t test.cgi
# cat /var/www/cgi-bin/test.cgi
#! /bin/sh

echo -e "Content-Type: text/plain\r"
echo -e "\r"

id="$(id)"

cat <<EOL
------------------------------------------------------------
$id
------------------------------------------------------------
EOL
# nc localhost 80
GET /cgi-bin/test.cgi HTTP/1.1
Host: x

HTTP/1.1 200 OK
Date: Thu, 27 Apr 2006 14:12:29 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/plain; charset=UTF-8

d3
------------------------------------------------------------
uid=500(james) gid=501(james) groups=501(james)
context=root:system_r:httpd_sys_script_t
------------------------------------------------------------

0

...this is correct.
Comment 13 James Antill 2006-04-27 11:58:31 EDT
 I also tried using ipv6calc, and that worked too:

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.126
# rpm -q ipv6calc
ipv6calc-0.51-1
# cp /usr/share/doc/ipv6calc-0.51/ipv6calcweb/ipv6calcweb.cgi /var/www/cgi-bin/
# chown james:james /var/www/cgi-bin//ipv6calcweb.cgi 
# chmod +x /var/www/cgi-bin/ipv6calcweb.cgi 
# ll -Z /var/www/cgi-bin/ipv6calcweb.cgi
 -rwxr-xr-x  james    james    root:object_r:httpd_sys_script_exec_t
/var/www/cgi-bin/ipv6calcweb.cgi
# nc localhost 80
GET /cgi-bin/ipv6calcweb.cgi HTTP/1.1
Host: x

HTTP/1.1 200 OK
Date: Thu, 27 Apr 2006 14:41:10 GMT
Server: Apache/2.0.52 (Red Hat)
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8

356
<html>
  <head>
    <meta name="Author" content="Peter Bieringer">
    <title>Addresstype information</title>
  </head>
  <body>
    <table border CELLSPACING=0>
      <tr>
        <th colspan="3">Your client</th>
      </tr>
      <tr>
        <td><b>IPV4</b></td>
        <td>IPv4 address</td>
        <td><tt>10.12.4.34</tt></td>
      </tr>
      <tr>
        <td><b>IPV4_REGISTRY</b></td>
        <td>Registry of IPv4 address</td>
        <td>IANA</td>
      </tr>
      <tr>
        <td colspan="3">
          <font size=-2>Generated by ipv6calcweb.cgi 0.51, (P) & (C) 2002-2003
by Peter Bieringer</font><br>
          <font size=-2>Powered by <a
href="http://www.deepspace6.net/projects/ipv6calc.html">ipv6calc</a> 0.51, (P) &
(C) 2001-2006 by Peter Bieringer <pb (at) bieringer.de></font>
        </td>
      </tr>
    </table>
  </body>
</html>

0

Comment 14 Peter Bieringer 2006-04-28 06:55:38 EDT
I try to debug around but running into a logging trouble. Not each HTTP request
(done by curl) would trigger instant selinux log messages.
After one request, selinux log something. Then on next request, nothing is
logged, restarting httpd won't help, later on a next request, another (related
but not similar) selinux appears in log.

How is logging done in selinux, is there any cache inbetween?
Comment 15 Daniel Walsh 2006-05-01 16:16:44 EDT
You are running in permissive mode.  Only one avc message for a particular
access is/per process is reported.  Turn on enforcing mode and you should see
all errors

setenforce 1

Please attach avc messages.

Dan
Comment 16 Peter Bieringer 2006-05-02 08:10:16 EDT
I've transferred now my websites (not so mission critical than the others) to a
more clean RHEL4 system. Currently no changes are made to selinux (*-src is not
installed at the moment).

# rpm -q selinux-policy-targeted
selinux-policy-targeted-1.17.30-2.126

# getsebool -a
allow_syslog_to_console --> inactive
allow_ypbind --> inactive
dhcpd_disable_trans --> inactive
httpd_builtin_scripting --> active
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_tty_comm --> inactive
httpd_unified --> active
mysqld_disable_trans --> inactive
named_disable_trans --> inactive
named_write_master_zones --> inactive
nscd_disable_trans --> inactive
ntpd_disable_trans --> inactive
pegasus_disable_trans --> inactive
portmap_disable_trans --> inactive
postgresql_disable_trans --> inactive
snmpd_disable_trans --> inactive
squid_disable_trans --> inactive
syslogd_disable_trans --> inactive
use_nfs_home_dirs --> inactive
use_samba_home_dirs --> inactive
use_syslogng --> active
winbind_disable_trans --> inactive
ypbind_disable_trans --> inactive


selinux is enforced on this system.

Let's start with an easy problem (only 2 avc messages per page) now again:

$ curl mirrors.bieringer.de
 AddOutputFilter INCLUDES .html .shtml .pl .cgi
 SuexecUserGroup wwwgroup wwwgroup
 # Add automatic footer
 Action add-footer /cgi-bin/footer.cgi
 AddHandler add-footer .html


causes:
May  2 13:52:55 pib audit(1146570775.747:603): avc:  denied  { create } for 
pid=14823 comm="suexec" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket

May  2 13:52:55 pib audit(1146570775.789:604): avc:  denied  { execute } for 
pid=14823 comm="footer.cgi" name="ld.so.cache" dev=md1 ino=240555
scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t
tclass=file

# ls -Z  footer.cgi
-rwxr-x---  wwwgroup wwwgroup user_u:object_r:httpd_sys_script_exec_t footer.cgi

footer.cgi is a small C program which put some HTML code taken from a txt file 
before the last /body /html tag.

$ ldd footer.cgi
        libc.so.6 => /lib/tls/libc.so.6 (0x00365000)
        /lib/ld-linux.so.2 (0x0034c000)


Note that if I enable SSL in /etc/ldap.conf I get one additional line per request:

May  2 13:48:46 host audit(1146570526.091:595): avc:  denied  { read } for 
pid=14643 comm="suexec" name="cert.pem" dev=md1 ino=224719
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t
tclass=lnk_file

This issue is already known (but not solved):
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=186258#c2

Comment 17 Peter Bieringer 2006-05-02 11:56:18 EDT
I've setup now identical webserver configs on both side with the result that
*after* relabling both systems, on one side following additional message occurs:

May  2 17:49:07 pib audit(1146584947.305:313): avc:  denied  { create } for 
pid=5979 comm="suexec" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_suexec_t tclass=netlink_route_socket

Not happen on the old system which causes all the other messages.

How can I trace/compare this?
Comment 18 Peter Bieringer 2006-06-06 04:25:23 EDT
BTW: have you ever heard about problems with hanging HTTP sessions and SELinux
in enforcing mode?

This had happen here since I start testing enforcing SELinux on our 2 productive
web servers. After some time, suddenly, Apache no longer serves contents. If a
request was triggered using telnet, I got a connect, but if I specify to get
some contents, nothing happens.

Restarting Apache helps for a moment (around 1/2 day). Afterwards, same issue
occurs.

After setting SELinux back to permissive and restarting httpd, everything works
fine over weeks. The only message about SELinux in kernel log is the grant of
the SELinux change, nothing else.

That's very strange.

Do you have any hints how can I debug such strange case, if happen again?
Comment 19 Daniel Walsh 2006-06-06 11:54:18 EDT
This could be SELinux dontaudit causing the problem.

You can turn off the dontaudits by installing policy sources and
running

cd /etc/selinux/targeted/src/policy
make enableaudit
make load

Now you should get additional AVC messages in the logs.  You can turn on
enforcing mode and see if anything pops up.
Comment 21 James Antill 2006-06-06 16:53:23 EDT
"""
Note that if I enable SSL in /etc/ldap.conf I get one additional line per request:

May  2 13:48:46 host audit(1146570526.091:595): avc:  denied  { read } for 
pid=14643 comm="suexec" name="cert.pem" dev=md1 ino=224719
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:usr_t
tclass=lnk_file

This issue is already known (but not solved):
"""

 Did the policy update in BZ#186258 not solve that problem for you?
Comment 22 RHEL Product and Program Management 2006-09-01 10:16:44 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 24 Vilela 2006-09-16 03:35:01 EDT
Running the following script through Apache, called teste.sh:

#!/bin/sh
cat << EOF
Content-type: text/html;

hello<br>
EOF

... Results on the following errors:

avc:  denied  { create } for  pid=11137 comm="suexec"
context=root:system_r:httpd_suexec_t tcontext=root:system_r:httpd_suexec_t
tclass=netlink_route_socket

avc:  denied  { read } for  pid=11137 comm="suexec" name="cert.pem" dev=dm-0
ino=520401 scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:usr_t tclass=lnk_file

avc:  denied  { execute_no_trans } for  pid=11137 comm="suexec" name="teste.sh"
dev=dm-5 ino=16763 scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:httpd_sys_content_t tclass=file

The first and second errors seems to have already been reported in this bug
report and the second seems to be like BZ#186258.

My booleans:

httpd_builtin_scripting --> active
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> inactive
httpd_ssi_exec --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active

kernel-2.6.9-42.0.2.EL
selinux-policy-targeted-1.17.30-2.140
Comment 25 Vilela 2006-09-16 03:57:10 EDT
audit2allow suggested me these lines, and it worked:

allow httpd_suexec_t self:netlink_route_socket { bind create getattr nlmsg_read
read write };
allow httpd_suexec_t httpd_sys_content_t:file execute_no_trans;
allow httpd_suexec_t usr_t:lnk_file read;

Now I've got other errors, but this new file had no errors - teste2.cgi.c:
#include <stdio.h>
int main()
{
  printf("Content-type: text/html;\n\nhello<br>");
  return 0;
}
Comment 26 Daniel Walsh 2006-09-18 11:31:57 EDT
Which booleans do you have turned on? 

getsebool httpd_unified

allow httpd_suexec_t httpd_sys_content_t:file execute_no_trans;

Should be allowed by this boolean.
Comment 27 Daniel Walsh 2006-09-18 12:19:47 EDT
Fixed in selinux-policy-targeted-1.17.30-2.141
Comment 29 Peter Bieringer 2006-09-20 07:51:37 EDT
Daniel, can you please provide a package for testing? I only found 135 on your
people.redhat.com directory.
Comment 30 Daniel Walsh 2006-09-20 09:02:36 EDT
Updated
Comment 31 Peter Bieringer 2006-09-27 04:25:01 EDT
This policy looks better now.

Still I need 3 local rules, only one of them is suexec related:

1)
# avc:  denied  { execute } for  pid=12345 comm="footer.cgi" name="ld.so.cache"
dev=md1 ino=123456 scontext=root:system_r:httpd_sys_script_t
tcontext=root:object_r:ld_so_cache_t tclass=file

Results in:
allow httpd_sys_script_t ld_so_cache_t:file execute;


Hm, should this be fixed?


2)
# avc:  denied  { read write } for  pid=26260 comm="suexec" name="[8071270]"
dev=sockfs ino=8071270 scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_t tclass=tcp_socket
allow httpd_suexec_t httpd_t:tcp_socket { read write }; 


-> that's a CGI client program, which connects to a local server via TCP.

Perhaps a toggle should exist to allow this.


3)
# avc:  denied  { read } for  pid=27970 comm="ipv6calc-0.60.0"
name="GeoLiteCity.dat" dev=md1 ino=275154
scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:var_t tclass=file

allow httpd_sys_script_t var_t:file { getattr read };

-> that's more a local issue, ipv6calc accessed a file stored in /var/local
Comment 32 Peter Bieringer 2006-10-09 05:43:40 EDT
After rebooting the system I found, that in enforcing mode, the httpd no longer
deliver any pages. It hangs after the GET request. I believe I've already seen
this before. Unfortunately, no avc messages are logged to the kernel. Switching
to permissive mode and restart httpd solves this. Any hints how to debug this issue?
Comment 34 Josef Kubin 2007-04-02 23:18:12 EDT
Peter Bieringer:
Is the following package solution for your problem?
http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/selinux-policy-targeted-1.17.30-2.143.noarch.rpm
Comment 35 Peter Bieringer 2007-04-04 07:38:01 EDT
This new policy does't fix the issue from comment #32. Was comment #34 related
to that issue?

Here some log lines shown afterwards using "make enableaudit". BTW here: please
fix Makefile to create a backup file of policy.conf for switching back to normal
mode.

Apr  4 13:26:00 server audit(1175685960.397:446): avc:  granted  { load_policy }
for  pid=31685 comm="load_policy" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Apr  4 13:27:32 server audit(1175686052.870:447): avc:  granted  { load_policy }
for  pid=32127 comm="load_policy" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Apr  4 13:27:43 server audit(1175686063.004:448): avc:  granted  { setenforce }
for  pid=32132 comm="setenforce" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Apr  4 13:28:15 server audit(1175686095.010:449): avc:  granted  { setenforce }
for  pid=32280 comm="setenforce" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Apr  4 13:29:04 server audit(1175686144.845:450): avc:  granted  { load_policy }
for  pid=32486 comm="load_policy" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Apr  4 13:29:04 server audit(1175686144.934:451): avc:  denied  { siginh } for 
pid=32487 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:04 server audit(1175686144.934:452): avc:  denied  { rlimitinh }
for  pid=32487 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:04 server audit(1175686144.935:453): avc:  denied  { noatsecure }
for  pid=32487 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:04 server audit(1175686144.938:454): avc:  denied  { search } for 
pid=32487 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:04 server audit(1175686144.939:455): avc:  denied  { use } for 
pid=32487 comm="suexec" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_suexec_t tcontext=user_u:system_r:nscd_t tclass=fd
Apr  4 13:29:04 server audit(1175686144.939:456): avc:  denied  { read } for 
pid=32487 comm="suexec" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=file
Apr  4 13:29:04 server audit(1175686144.940:457): avc:  denied  { getattr } for
 pid=32487 comm="suexec" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=file
Apr  4 13:29:04 server audit(1175686144.942:458): avc:  denied  { siginh } for 
pid=32487 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:04 server audit(1175686144.942:459): avc:  denied  { rlimitinh }
for  pid=32487 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:04 server audit(1175686144.943:460): avc:  denied  { noatsecure }
for  pid=32487 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process


Apr  4 13:29:16 server audit(1175686156.806:461): avc:  granted  { setenforce }
for  pid=32491 comm="setenforce" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Apr  4 13:29:19 server audit(1175686159.753:462): avc:  denied  { search } for 
pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Apr  4 13:29:19 server audit(1175686159.754:463): avc:  denied  { search } for 
pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Apr  4 13:29:19 server audit(1175686159.756:464): avc:  denied  { search } for 
pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Apr  4 13:29:19 server audit(1175686159.756:465): avc:  denied  { search } for 
pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Apr  4 13:29:19 server audit(1175686159.780:466): avc:  denied  { search } for 
pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Apr  4 13:29:19 server audit(1175686159.781:467): avc:  denied  { search } for 
pid=32504 comm="httpd" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Apr  4 13:29:25 server audit(1175686165.861:468): avc:  denied  { siginh } for 
pid=32629 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:25 server audit(1175686165.861:469): avc:  denied  { rlimitinh }
for  pid=32629 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:25 server audit(1175686165.861:470): avc:  denied  { noatsecure }
for  pid=32629 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:25 server audit(1175686165.866:471): avc:  denied  { search } for 
pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:25 server audit(1175686165.866:472): avc:  denied  { search } for 
pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:25 server audit(1175686165.872:473): avc:  denied  { search } for 
pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:25 server audit(1175686165.873:474): avc:  denied  { search } for 
pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:25 server audit(1175686165.878:475): avc:  denied  { search } for 
pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:25 server audit(1175686165.879:476): avc:  denied  { search } for 
pid=32629 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:25 server audit(1175686165.884:477): avc:  denied  { siginh } for 
pid=32629 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:25 server audit(1175686165.884:478): avc:  denied  { rlimitinh }
for  pid=32629 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:25 server audit(1175686165.885:479): avc:  denied  { noatsecure }
for  pid=32629 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:34 server audit(1175686174.721:480): avc:  denied  { siginh } for 
pid=32632 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:34 server audit(1175686174.721:481): avc:  denied  { rlimitinh }
for  pid=32632 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:34 server audit(1175686174.721:482): avc:  denied  { noatsecure }
for  pid=32632 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:34 server audit(1175686174.723:483): avc:  denied  { search } for 
pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:34 server audit(1175686174.723:484): avc:  denied  { search } for 
pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:34 server audit(1175686174.730:485): avc:  denied  { search } for 
pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:34 server audit(1175686174.731:486): avc:  denied  { search } for 
pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:34 server audit(1175686174.736:487): avc:  denied  { search } for 
pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:34 server audit(1175686174.737:488): avc:  denied  { search } for 
pid=32632 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:34 server audit(1175686174.742:489): avc:  denied  { siginh } for 
pid=32632 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:34 server audit(1175686174.742:490): avc:  denied  { rlimitinh }
for  pid=32632 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:34 server audit(1175686174.742:491): avc:  denied  { noatsecure }
for  pid=32632 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:52 server audit(1175686192.289:492): avc:  denied  { siginh } for 
pid=32639 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:52 server audit(1175686192.289:493): avc:  denied  { rlimitinh }
for  pid=32639 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:52 server audit(1175686192.289:494): avc:  denied  { noatsecure }
for  pid=32639 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:29:52 server audit(1175686192.292:495): avc:  denied  { search } for 
pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:52 server audit(1175686192.292:496): avc:  denied  { search } for 
pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:52 server audit(1175686192.301:497): avc:  denied  { search } for 
pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:52 server audit(1175686192.302:498): avc:  denied  { search } for 
pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:52 server audit(1175686192.307:499): avc:  denied  { search } for 
pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:52 server audit(1175686192.308:500): avc:  denied  { search } for 
pid=32639 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:29:52 server audit(1175686192.313:501): avc:  denied  { siginh } for 
pid=32639 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:52 server audit(1175686192.313:502): avc:  denied  { rlimitinh }
for  pid=32639 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:52 server audit(1175686192.313:503): avc:  denied  { noatsecure }
for  pid=32639 comm="footer.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:29:57 server audit(1175686197.122:504): avc:  granted  { setenforce }
for  pid=32641 comm="setenforce" scontext=root:system_r:unconfined_t
tcontext=system_u:object_r:security_t tclass=security
Apr  4 13:29:59 server audit(1175686199.449:505): avc:  denied  { search } for 
pid=32654 comm="httpd" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Apr  4 13:29:59 server audit(1175686199.452:506): avc:  denied  { use } for 
pid=32654 comm="httpd" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_t tcontext=user_u:system_r:nscd_t tclass=fd
Apr  4 13:29:59 server audit(1175686199.452:507): avc:  denied  { read } for 
pid=32654 comm="httpd" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=file
Apr  4 13:29:59 server audit(1175686199.452:508): avc:  denied  { getattr } for
 pid=32654 comm="httpd" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=file
Apr  4 13:30:07 server audit(1175686207.171:509): avc:  denied  { siginh } for 
pid=402 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:30:07 server audit(1175686207.171:510): avc:  denied  { rlimitinh }
for  pid=402 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:30:07 server audit(1175686207.171:511): avc:  denied  { noatsecure }
for  pid=402 comm="suexec" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_suexec_t tclass=process
Apr  4 13:30:07 server audit(1175686207.175:512): avc:  denied  { search } for 
pid=402 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=dir
Apr  4 13:30:07 server audit(1175686207.177:513): avc:  denied  { use } for 
pid=402 comm="suexec" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_suexec_t tcontext=user_u:system_r:nscd_t tclass=fd
Apr  4 13:30:07 server audit(1175686207.177:514): avc:  denied  { read } for 
pid=402 comm="suexec" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=file
Apr  4 13:30:07 server audit(1175686207.177:515): avc:  denied  { getattr } for
 pid=402 comm="suexec" name="passwd" dev=md1 ino=161712
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:nscd_var_run_t
tclass=file
Apr  4 13:30:07 server audit(1175686207.181:516): avc:  denied  { siginh } for 
pid=402 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:30:07 server audit(1175686207.181:517): avc:  denied  { rlimitinh }
for  pid=402 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process
Apr  4 13:30:07 server audit(1175686207.181:518): avc:  denied  { noatsecure }
for  pid=402 comm="messages.cgi" scontext=root:system_r:httpd_suexec_t
tcontext=root:system_r:httpd_sys_script_t tclass=process

Comment 36 Daniel Walsh 2007-04-05 17:40:05 EDT
Looks like it needs to talk to nscd. 

Fixed in selinux-policy-targeted-1_17_30-2_145
Comment 38 Josef Kubin 2007-04-05 19:43:30 EDT
Created attachment 151819 [details]
output from audit.log
Comment 39 Peter Bieringer 2007-04-10 07:02:58 EDT
Can you please push the 2.145 release to
http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/ for testing? Thank you.
Comment 40 Daniel Walsh 2007-04-10 10:09:34 EDT
2.145 pushed to http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/

Josef.   cgi scripts are not allowed to read kerberos or snmp information by
default.  You would have to write your own policy in order to allow this.  This
is true in RHEL4 and RHEL5.
Comment 41 Peter Bieringer 2007-04-10 10:30:15 EDT
Are you sure that 145 reflects the mentioned changes from #36? My cgi scripts
still hanging in enforcing mode, but playing around I found that all works fine
if I add following rules to local.te, teached by audit2allow:

allow httpd_suexec_t nscd_t:fd use;
allow httpd_suexec_t nscd_var_run_t:dir search;
allow httpd_suexec_t nscd_var_run_t:file { getattr read };
allow httpd_t nscd_t:fd use;
allow httpd_t nscd_var_run_t:dir search;
allow httpd_t nscd_var_run_t:file { getattr read };

Comment 42 Peter Bieringer 2007-04-10 10:50:38 EDT
BTW: digging through my local.te I found this one is still required:

allow httpd_sys_script_t ld_so_cache_t:file execute;

Log:
Apr 10 16:48:20 server audit(1176216500.570:2997): avc:  denied  { execute } for
 pid=14493 comm="footer.cgi" name="ld.so.cache" dev=md1 ino=241238
scontext=root:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t
tclass=file

"footer.cgi" is a small C program:

# ldd /path/to/foo/footer.cgi 
        libc.so.6 => /lib/tls/libc.so.6 (0x00230000)
        /lib/ld-linux.so.2 (0x00967000)
Comment 44 Daniel Walsh 2007-04-10 11:14:18 EDT
Peter what is the context of footer.cgi?

ls -lZ footer.cgi?

I also don't understand the above comment does 145 work without your nscd rules?

Comment 45 Peter Bieringer 2007-04-10 11:22:12 EDT
# ls -lZ /path/to/footer.cgi 
-r-xr-x---  user group user_u:object_r:httpd_sys_script_exec_t
/path/to/footer/footer.cgi

145 without my additional nscd rules didn't work (page wouldn't be delivered),
with my additional rules, all works fine.

BTW: during heavy testing I found that my formail script also triggers denied
messages during injection of the e-mail (sendmail is from postfix):
allow system_mail_t self:netlink_route_socket { create bind getattr write
nlmsg_read read };
But regardless of the denied messages, the e-mail is delivered in enforcing mode.
Comment 48 Peter Bieringer 2007-04-20 08:30:00 EDT
I would only note that since last comment system is running fine now in
enforcing mode.

My current local.te contain just for cross-checking:

## Apache

## footer.cgi
allow httpd_sys_script_t ld_so_cache_t:file execute;

# CGI which uses a data file stored in /var/local (more local issue)
allow httpd_sys_script_t var_t:file { getattr read };

# Sqwebmail (more local issue)
allow httpd_sys_script_t var_t:sock_file write;
allow httpd_sys_script_t initrc_t:unix_stream_socket connectto;

## suexec'ed cgi requires nscd requires nscd (already discussed)
allow httpd_suexec_t nscd_t:fd use;
allow httpd_suexec_t nscd_var_run_t:dir search;
allow httpd_suexec_t nscd_var_run_t:file { getattr read };
allow httpd_t nscd_t:fd use;
allow httpd_t nscd_var_run_t:dir search;
allow httpd_t nscd_var_run_t:file { getattr read };

# formail
allow system_mail_t self:netlink_route_socket { create bind getattr write
nlmsg_read read };

# syslog-ng >= 2.0
allow syslogd_t var_t:dir { write add_name read };
allow syslogd_t var_t:file { create read write getattr };
Comment 49 Red Hat Bugzilla 2007-05-01 18:47:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0171.html
Comment 50 Peter Bieringer 2007-06-27 05:33:59 EDT
After rebooting I ran still into troubles. Digging deeper (using make
enableaudit), I found that 2 rules are still necessary for for
selinux-policy-targeted-1.17.30-2.145 for proper running of httpd:

allow httpd_suexec_t nscd_var_run_t:dir search;
allow httpd_t nscd_var_run_t:dir search;

Restart of httpd after change is required, too.

Related log lines:

Jun 27 11:22:11 host audit(1182936131.392:20): avc:  denied  { search } for 
pid=6719 comm="suexec" name="nscd" dev=md1 ino=400898
scontext=user_u:system_r:httpd_suexec_t
tcontext=system_u:object_r:nscd_var_run_t tclass=dir

Jun 27 11:29:32 host audit(1182936572.209:170): avc:  denied  { search } for 
pid=8237 comm="httpd" name="nscd" dev=md1 ino=400898
scontext=root:system_r:httpd_t tcontext=system_u:object_r:nscd_var_run_t tclass=dir
Comment 51 Daniel Walsh 2007-06-27 08:47:54 EDT
That is strange, you should not need that priv to be able to communicate with
the nscd socket?
Comment 52 Peter Bieringer 2007-06-27 09:09:56 EDT
Hmm, I don't know what causes this, but if I remove this priv, the httpd has
major problems serving the pages, contents was delivered with timeouts.

Note that since using selinux-policy-targeted-1.17.30-2.145, following local.te
extensions were no longer required:

allow httpd_suexec_t nscd_t:fd use;
allow httpd_suexec_t nscd_var_run_t:file { getattr read };
allow httpd_t nscd_t:fd use;
allow httpd_t nscd_var_run_t:file { getattr read };

Perhaps "nscd_var_run_t:file { getattr read };" requires "nscd_var_run_t:dir
search;" before.
Comment 54 Daniel Walsh 2008-08-01 11:52:43 EDT
We are not planning on updating RHEL4 policy so since this works well in RHEL5 I
am closing this next release.

Note You need to log in before you can comment on or make changes to this bug.