Bug 210828 - setsched should be allowed for httpd
setsched should be allowed for httpd
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-10-15 18:30 EDT by Ilya Konstantinov
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2007-0171
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 18:47:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ilya Konstantinov 2006-10-15 18:30:26 EDT
When a web script (e.g. PHP) wants to make a child process run more gracefully
and take less resources (by running it through 'nice'), it's actually prohibited
from doing so since 'setsched' is forbidden in the SELinux targeted policy.

It might make some slight sense to forbid setsched which increases priority
(though this already shouldn't happen since httpd doesn't run as root), but
forbidding setsched which decreases priority is counterproductive.

Therefore, lowering-priority setsched should be allowed for httpd_sys_script_t.
(If this doesn't make sense for RHEL4, on which I've tested it, please move it
to Fedora instead.)
Comment 1 Daniel Walsh 2007-01-29 09:47:52 EST
Fixed in 1.17.30-2.142
Comment 5 Ben Levenson 2007-03-22 19:54:57 EDT
Can you reproduce this with the following RPM:
http://people.redhat.com/dwalsh/SELinux/RHEL4/u5/noarch/selinux-policy-targeted-1.17.30-2.143.noarch.rpm
Comment 6 Ilya Konstantinov 2007-03-23 05:39:16 EDT
With your RPM, I'm still getting this:
audit(1174642628.187:1078844): avc:  denied  { execute } for  pid=28636
comm="nice" name="convert" dev=dm-0 ino=8236887
scontext=root:system_r:httpd_sys_script_t
tcontext=system_u:object_r:httpd_unconfined_script_exec_t tclass=file

(trying to execute ImageMagick's convert)
Comment 7 Daniel Walsh 2007-03-23 10:06:23 EDT
This is a different problem.  And looks like you should be running your original
script as httpd_unconfined_script_exec_t.  Not just the end one.


The avc indicates one cgi running as httpd_sys_script_t (The default for cgi
scripts) is trying to execute a script labeled httpd_unconfined_script_exec_t. 
So I believe that your end goal is to run an unconfined cgi.  The original
script should be labeled httpd_unconfined_script_exec_t.
Comment 8 Ilya Konstantinov 2007-03-23 11:08:21 EDT
You are right. My /usr/bin/convert (ImageMagick) was erroneously labeled as
httpd_unconfined_script_exec_t.

After relabeling it to bin_t, everything (i.e. running it with "nice") works
fine. Thanks.
Comment 11 Red Hat Bugzilla 2007-05-01 18:47:57 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0171.html

Note You need to log in before you can comment on or make changes to this bug.