Bug 390881 - selinux prevents use of web interface to BackupPC
selinux prevents use of web interface to BackupPC
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: BackupPC (Show other bugs)
8
All Linux
low Severity medium
: ---
: ---
Assigned To: Johan Cwiklinski
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-19 13:59 EST by George Avrunin
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-19 17:40:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
te file (737 bytes, application/octet-stream)
2007-11-20 06:22 EST, Daniel Walsh
no flags Details
fc file (269 bytes, application/octet-stream)
2007-11-20 06:22 EST, Daniel Walsh
no flags Details
if file (4.70 KB, application/octet-stream)
2007-11-20 06:22 EST, Daniel Walsh
no flags Details
shell script to install and label (1.32 KB, application/x-shellscript)
2007-11-20 06:24 EST, Daniel Walsh
no flags Details

  None (edit)
Description George Avrunin 2007-11-19 13:59:33 EST
Description of problem: When I try to use the web interface to BackupPC, I get
selinux violations.


Version-Release number of selected component (if applicable): BackupPC is
BackupPC-3.0.0-3.fc8, selinux-policy-targeted is 3.0.8-53.fc8


How reproducible:
every time

Steps to Reproduce:
1. Install BackupPC_Admin under /var/www/cgi-bin (I have it in
/var/www/cgi-bin/BackupPC) and set up passwords, etc.
2. Go to it from a browser and login
3. selinux prevents access (but I can use the web interface if I set selinux to
permissive)
 
  
Actual results:
sealert reports the following:
Summary
SELinux is preventing /usr/bin/sperl5.8.8 (httpd_sys_script_t)
"setuid" to (httpd_sys_script_t).

Detailed Description
SELinux denied access requested by /usr/bin/sperl5.8.8. It is not
expected that this access is required by /usr/bin/sperl5.8.8 and this
access may signal an intrusion attempt. It is also possible that the
specific version or configuration of the application is causing it to
require additional access.

Allowing Access
You can generate a local policy module to allow this access - see FAQ
Or you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report against this
package.

Additional Information

Source Context:	system_u:system_r:httpd_sys_script_t:s0
Target Context:	system_u:system_r:httpd_sys_script_t:s0
Target Objects:	None [ capability ]
Affected RPM Packages:	perl-suidperl-5.8.8-31.fc8 [application]
Policy RPM:	selinux-policy-3.0.8-47.fc8
Selinux Enabled:	True
Policy Type:	targeted
MLS Enabled:	True
Enforcing Mode:	Permissive
Plugin Name:	plugins.catchall
Host Name:	g2
Platform:	Linux g2 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007
i686 i686
Alert Count:	15
First Seen:	Sun 11 Nov 2007 12:18:32 PM EST
Last Seen:	Thu 15 Nov 2007 08:50:48 PM EST
Local ID:	3601b195-d0fb-4477-b969-c6f87a3a5fc9
Line Numbers:	

Raw Audit Messages :

avc: denied { setuid } for comm=sperl5.8.8 egid=48 euid=493
exe=/usr/bin/sperl5.8.8 exit=0 fsgid=48 fsuid=493 gid=48 items=0
pid=3645 scontext=system_u:system_r:httpd_sys_script_t:s0 sgid=48
subj=system_u:system_r:httpd_sys_script_t:s0 suid=0 tclass=capability
tcontext=system_u:system_r:httpd_sys_script_t:s0 tty=(none) uid=48  

Expected results:  should be able to use the web interface without having to set
selinux to permissive.


Additional info:
Comment 1 Jonathan Underwood 2007-11-19 14:21:27 EST
As an aside, step 1:

1. Install BackupPC_Admin under /var/www/cgi-bin (I have it in
/var/www/cgi-bin/BackupPC) and set up passwords, etc.

should really not need to be done manually, and surely should be done by the
BackupPC package
Comment 2 Johan Cwiklinski 2007-11-19 17:40:51 EST
Indeed, these step should not be done manually. Installaing BackupPC from RPM
avoid SELinux denies.

However, this is not a bug, but a simple SELinux misconfiguration from user's
part ; see SELinux FAQs or SELinux module shipped with the package.
Comment 3 George Avrunin 2007-11-19 20:56:23 EST
(In reply to comment #2)
> Indeed, these step should not be done manually. Installaing BackupPC from RPM
> avoid SELinux denies.
> 
> However, this is not a bug, but a simple SELinux misconfiguration from user's
> part ; see SELinux FAQs or SELinux module shipped with the package.

Could you clarify this a bit for me?  When I install the rpm, nothing gets
installed into /var/www/cgi-bin, but /etc/BackupPC/config.pl has 

$Conf{CgiURL} = 'http://localhost/cgi-bin/BackupPC_Admin'

so I assume it's necessary to copy /usr/share/BackupPC/sbin/BackupPC_Admin to
/var/www/cgi-bin (or wherever CgiURL points to in the config.pl file).  Is this
not the case?  

Moreover, the selinux policy file from the package (installed into
/usr/share/selinux/packages/BackupPC/BackupPC.pp) seems to get loaded properly.
 At least, semodule -l shows "BackupPC 0.0.3".  Is it necessary for me to do
something besides copy the BackupPC_Admin script to /var/www/cgi-bin and adjust
the permissions (and edit config.pl for my hosts, etc.)?  As I said in my bug
report (or notabug report, I guess), I have BackupPC_Admin working if I set
selinux to permissive.  The documentation that comes in the rpm says "The CGI
interface should have been installed by the configure.pl script in
__CGIDIR__/BackupPC_Admin. BackupPC_Admin should have been installed as setuid
to the BackupPC user (__BACKUPPCUSER__), in addition to user and group execute
permission."  When I installed from the tarball, I had to run configure.pl, but
this script doesn't even seem to be part of the rpm.  Since BackupPC_Admin isn't
in the cgi-bin directory, I assumed I had to put it there.  Is that incorrect? 
Should the "yum install BackupPC" have done that?  If so, maybe there was a
problem when I installed the package.

I don't understand much at all about the internals of selinux or the policy
language.  Or even how to see what the policy in BackupPC.pp really says in some
human-readable form.  In the past (on FC6), I had installed BackupPC 3.0 from
the tarball and I wasn't surprised to run into selinux difficulties.  But I
thought installing from the rpm would eliminate those, and I guess it should
have.  But I don't know what I did wrong in configuring things.  If I've just
missed some piece of the documentation that says what I should have done, please
point me to that.

Thanks.
Comment 4 Johan Cwiklinski 2007-11-20 02:01:08 EST
Hi,

(In reply to comment #3)
> Could you clarify this a bit for me?  When I install the rpm, nothing gets
> installed into /var/www/cgi-bin, but /etc/BackupPC/config.pl has 
> 
> $Conf{CgiURL} = 'http://localhost/cgi-bin/BackupPC_Admin'

I should change it to 'http://localhost/BackupPC' for the next release, since
this is the correct URL. My bad.

> so I assume it's necessary to copy /usr/share/BackupPC/sbin/BackupPC_Admin to
> /var/www/cgi-bin (or wherever CgiURL points to in the config.pl file).  Is this
> not the case?  

It is not. There is a ScriptAlias in the conf file located at
/etc/httpd/conf.d/BackupPC.conf, take a look at it ;)

> Moreover, the selinux policy file from the package (installed into
> /usr/share/selinux/packages/BackupPC/BackupPC.pp) seems to get loaded properly.

It is, I've tested on f7 and f8 successfully.

> The documentation that comes in the rpm says "The CGI
> interface should have been installed by the configure.pl script in
> __CGIDIR__/BackupPC_Admin. BackupPC_Admin should have been installed as setuid
> to the BackupPC user (__BACKUPPCUSER__), in addition to user and group execute
> permission."

These path are the defaults for a 'manual' installation, paths in the package
are a bit differents, since the CGI interface is installed in
/usr/share/BackupPC/sbin/BackupPC_Admin and aliased in the httpd's .conf file.
That's why you experience SELinux denials... The policy is setted to
/usr/share/BackupPC, not to /var/www/cgi-bin.

To have BackupPC fully functionnal from the web interface, you just need to
install the RPM and then create at least one user in the
'/etc/BackupPC/apache.users' htpasswd file, and that's all.
I should add a Fedora.readme file in the next release, but won't make a package
update only for this.

Hope that helps, feel free to contact me by mail if you have further questions.

Regards,
Johan
Comment 5 Daniel Walsh 2007-11-20 06:21:42 EST
So does it need setuid or not.  I threw together some selinux policy files for
BackupPC even though I have never used it.

Comment 6 Daniel Walsh 2007-11-20 06:22:19 EST
Created attachment 264781 [details]
te file
Comment 7 Daniel Walsh 2007-11-20 06:22:39 EST
Created attachment 264791 [details]
fc file
Comment 8 Daniel Walsh 2007-11-20 06:22:58 EST
Created attachment 264801 [details]
if file
Comment 9 Daniel Walsh 2007-11-20 06:24:24 EST
Created attachment 264811 [details]
shell script to install and label
Comment 10 George Avrunin 2007-11-20 21:53:13 EST
Now that I understand how the package is supposed to be used, it seems to work
fine.  I was misled by the difference between the documentation installed by the
package (which Johan says is to apply only to a "manual" installation) and the
way the package does things, as well as by the line in the installed config.pl
that matched the documentation.  My setup seems to be ok now.  (But even if I
had never installed BackupPC manually before, I don't know if I would have
figured out how to make the package version work, since several things differ
from the installation described in the documentation-the Fedora.readme Johan
mentions for the next release would be a big help.)  

Thanks.

  George

Note You need to log in before you can comment on or make changes to this bug.