Bug 193201 - SELinux strict policy blocks CGI execution
SELinux strict policy blocks CGI execution
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-25 20:29 EDT by M. Kristall
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 43.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-08 11:58:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description M. Kristall 2006-05-25 20:29:15 EDT
I searched for httpd and apache under the selinux components and couldn't find
any results. So I guess this is new.


Description of problem:
With strict policy selected, httpd cannot run CGIs.

Version-Release number of selected component (if applicable):
selinux-policy 2.2.40-1.fc5
httpd 2.2.0-5.1.2

How reproducible:
Always

Steps to Reproduce:
1. In gnome, System > Administration > Security Level and Firewall
2. In the SELinux tab, set SELinux Setting to "Enforcing", click OK
3. Request something like http://localhost/path/to/some/file.cgi
4. tail -n2 /var/log/httpd/error_log
  
Actual results:
(13)Permission denied: exec of '/var/www/html/some/file.cgi' failed
Premature end of script headers: file.cgi

Expected results:
The CGI should run fine.


Additional info:
I did not manually edit the selinux policy. I always have the "SELinux Setting"
on Enforcing, and (because I'm lazy and don't want to have to learn about how to
configure SELinux :-( ) I use the Security Level Configuration program for
tuning the SELinux policy.
I usually have the following checked under "HTTPD Service":
Allow HTTPD cgi support
Allow HTTPD scripts and modules to connect to the network.
Allow HTTPD to support build-in scripting
Unify HTTPD handling of all content files.
Unify HTTPD to communicate with the terminal.

According to my Apache logs, the last time I actually ran any CGIs with this
computer was on May 15 (really, it was that long?). It worked then. Since then I
have not adjusted the SELinux policy or changed the Apache configuration, or the
CGIs' permissions. Neither of the last two are the problem: switching the policy
to Permissive, or disabling SELinux makes things work as expected.

Enabling "Disable SELinux protection for HTTPD" does not seem to do anything.

I'd assume that I did something wrong, but I haven't made any changes in a while
and it was working but now it is not.


(I can't confirm this on any other systems, but I assume this effects all
architectures since selinux-policy is platform independent... right?)
Comment 1 Daniel Walsh 2006-05-26 05:52:55 EDT
Are you seeing AVC messages in your /var/log/messages or
/var/log/audit/audit.log file?
Comment 2 M. Kristall 2006-05-26 13:32:02 EDT
In /var/log/messages I see repeated (obviously with different times):

May 26 13:33:04 localhost kernel: audit(1148664784.449:11): avc:  denied  {
entrypoint } for  pid=2683 comm="httpd" name="gbook.cgi" dev=dm-0 ino=11930847
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file

I don't have /var/log/audit
Comment 3 M. Kristall 2006-05-28 11:33:57 EDT
Okay, I was able to test this on a different FC5 system to make sure I didn't
screw something up and I got basically the same thing (though this one has
/var/log/audit and the avc message was in /var/log/audit/audit.log instead).

I get this even with the scripts in cgi-bin.
Comment 4 Daniel Walsh 2006-06-06 12:38:35 EDT
Fixed in 2.2.43-3.fc5
Comment 5 M. Kristall 2006-06-07 20:31:30 EDT
Thanks :-)

Note You need to log in before you can comment on or make changes to this bug.