Bug 197473 - selinux policy for apache denies shell commands via PHP
selinux policy for apache denies shell commands via PHP
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2006-07-02 14:04 EDT by Carl Roth
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-03-28 16:04:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Carl Roth 2006-07-02 14:04:05 EDT
Description of problem:

The apache.te file in the selinux targeted policy for FC5 allows for Apache to
invoke commands in bin (corecmd_exec_bin) and sbin (corecmd_exec_sbin), but it
does not allow shell scripts (corecmd_exec_shell).

This means that the back-tick operator in PHP scripts does not work.  By
default, the back-tick expansion invokes /bin/sh on the script.

Version-Release number of selected component (if applicable):

This was found on selinux-policy-targeted-2.2.43-4.fc5 on a PPC.

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Daniel Walsh 2006-07-11 14:38:57 EDT
If you set the httpd_ssi_exec boolean does it fix your problem

setsebool -P httpd_ssi_exec=1

Comment 2 Carl Roth 2006-07-29 12:07:44 EDT
Sorry for the delayed response.

No, that doesn't fix the problem.  That bool was enabled on my system in the
first place.
Comment 3 Daniel Walsh 2006-07-31 08:58:36 EDT
Could you attach the avc messages generated?
Comment 4 Carl Roth 2006-07-31 12:44:49 EDT
The latest system I tried this on is running selinux-policy-targeted 2.3.2, and
it no longer exhibits this problem.  The only issue I'm seeing now with PHP
scripts is the eventpollfs issue:

type=AVC msg=audit(1154363527.022:74215): avc:  denied  { read } for  pid=27588
comm="sh" name="[14015870]" dev=eventpollfs ino=14015870 scontext=user_u:system_
r:httpd_sys_script_t:s0 tcontext=system_u:object_r:eventpollfs_t:s0 tclass=file
type=SYSCALL msg=audit(1154363527.022:74215): arch=40000003 syscall=11 success=y
es exit=0 a0=668f77 a1=bfac8c0c a2=bfacc91c a3=400 items=2 pid=27588 auid=500 ui
d=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="s
h" exe="/bin/bash" subj=user_u:system_r:httpd_sys_script_t:s0
type=AVC_PATH msg=audit(1154363527.022:74215):  path="eventpoll:[14015870]"
type=CWD msg=audit(1154363527.022:74215):  cwd="/var/www/html/phpwims"
type=PATH msg=audit(1154363527.022:74215): item=0 name="/bin/sh" inode=2981976 d
ev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_

I fixed this by adding

    type httpd_sys_script_t;


to my local configuration.
Comment 5 Daniel Walsh 2007-03-28 16:04:13 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.