210828 – setsched should be allowed for httpd

Bug 210828 - setsched should be allowed for httpd

Summary: setsched should be allowed for httpd

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-15 22:30 UTC by Ilya Konstantinov
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:	RHBA-2007-0171
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-05-01 22:47:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2007:0171	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2007-04-27 21:16:38 UTC

Description Ilya Konstantinov 2006-10-15 22:30:26 UTC

When a web script (e.g. PHP) wants to make a child process run more gracefully
and take less resources (by running it through 'nice'), it's actually prohibited
from doing so since 'setsched' is forbidden in the SELinux targeted policy.

It might make some slight sense to forbid setsched which increases priority
(though this already shouldn't happen since httpd doesn't run as root), but
forbidding setsched which decreases priority is counterproductive.

Therefore, lowering-priority setsched should be allowed for httpd_sys_script_t.
(If this doesn't make sense for RHEL4, on which I've tested it, please move it
to Fedora instead.)

Comment 1 Daniel Walsh 2007-01-29 14:47:52 UTC

Fixed in 1.17.30-2.142

Comment 5 Ben Levenson 2007-03-22 23:54:57 UTC

Can you reproduce this with the following RPM:
http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/selinux-policy-targeted-1.17.30-2.143.noarch.rpm

Comment 6 Ilya Konstantinov 2007-03-23 09:39:16 UTC

With your RPM, I'm still getting this:
audit(1174642628.187:1078844): avc:  denied  { execute } for  pid=28636
comm="nice" name="convert" dev=dm-0 ino=8236887
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_unconfined_script_exec_t tclass=file

(trying to execute ImageMagick's convert)

Comment 7 Daniel Walsh 2007-03-23 14:06:23 UTC

This is a different problem.  And looks like you should be running your original
script as httpd_unconfined_script_exec_t.  Not just the end one.


The avc indicates one cgi running as httpd_sys_script_t (The default for cgi
scripts) is trying to execute a script labeled httpd_unconfined_script_exec_t. 
So I believe that your end goal is to run an unconfined cgi.  The original
script should be labeled httpd_unconfined_script_exec_t.

Comment 8 Ilya Konstantinov 2007-03-23 15:08:21 UTC

You are right. My /usr/bin/convert (ImageMagick) was erroneously labeled as
httpd_unconfined_script_exec_t.

After relabeling it to bin_t, everything (i.e. running it with "nice") works
fine. Thanks.

Comment 11 Red Hat Bugzilla 2007-05-01 22:47:57 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0171.html

Note You need to log in before you can comment on or make changes to this bug.