Bug 193201 - SELinux strict policy blocks CGI execution
Summary: SELinux strict policy blocks CGI execution
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-26 00:29 UTC by M. Kristall
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 43.fc5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-06-08 15:58:37 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description M. Kristall 2006-05-26 00:29:15 UTC
I searched for httpd and apache under the selinux components and couldn't find
any results. So I guess this is new.


Description of problem:
With strict policy selected, httpd cannot run CGIs.

Version-Release number of selected component (if applicable):
selinux-policy 2.2.40-1.fc5
httpd 2.2.0-5.1.2

How reproducible:
Always

Steps to Reproduce:
1. In gnome, System > Administration > Security Level and Firewall
2. In the SELinux tab, set SELinux Setting to "Enforcing", click OK
3. Request something like http://localhost/path/to/some/file.cgi
4. tail -n2 /var/log/httpd/error_log
  
Actual results:
(13)Permission denied: exec of '/var/www/html/some/file.cgi' failed
Premature end of script headers: file.cgi

Expected results:
The CGI should run fine.


Additional info:
I did not manually edit the selinux policy. I always have the "SELinux Setting"
on Enforcing, and (because I'm lazy and don't want to have to learn about how to
configure SELinux :-( ) I use the Security Level Configuration program for
tuning the SELinux policy.
I usually have the following checked under "HTTPD Service":
Allow HTTPD cgi support
Allow HTTPD scripts and modules to connect to the network.
Allow HTTPD to support build-in scripting
Unify HTTPD handling of all content files.
Unify HTTPD to communicate with the terminal.

According to my Apache logs, the last time I actually ran any CGIs with this
computer was on May 15 (really, it was that long?). It worked then. Since then I
have not adjusted the SELinux policy or changed the Apache configuration, or the
CGIs' permissions. Neither of the last two are the problem: switching the policy
to Permissive, or disabling SELinux makes things work as expected.

Enabling "Disable SELinux protection for HTTPD" does not seem to do anything.

I'd assume that I did something wrong, but I haven't made any changes in a while
and it was working but now it is not.


(I can't confirm this on any other systems, but I assume this effects all
architectures since selinux-policy is platform independent... right?)

Comment 1 Daniel Walsh 2006-05-26 09:52:55 UTC
Are you seeing AVC messages in your /var/log/messages or
/var/log/audit/audit.log file?

Comment 2 M. Kristall 2006-05-26 17:32:02 UTC
In /var/log/messages I see repeated (obviously with different times):

May 26 13:33:04 localhost kernel: audit(1148664784.449:11): avc:  denied  {
entrypoint } for  pid=2683 comm="httpd" name="gbook.cgi" dev=dm-0 ino=11930847
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:object_r:httpd_sys_content_t:s0 tclass=file

I don't have /var/log/audit

Comment 3 M. Kristall 2006-05-28 15:33:57 UTC
Okay, I was able to test this on a different FC5 system to make sure I didn't
screw something up and I got basically the same thing (though this one has
/var/log/audit and the avc message was in /var/log/audit/audit.log instead).

I get this even with the scripts in cgi-bin.

Comment 4 Daniel Walsh 2006-06-06 16:38:35 UTC
Fixed in 2.2.43-3.fc5


Comment 5 M. Kristall 2006-06-08 00:31:30 UTC
Thanks :-)


Note You need to log in before you can comment on or make changes to this bug.