Red Hat Bugzilla – Bug 446380
selinux policy prevents suexec cgi scripts
Last modified: 2009-11-18 08:04:16 EST
Description of problem: Upgraded to F9 today. suexec'd cgi scripts no longer work Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-42.fc9 I also tried selinux-policy-targeted-3.3.1-51.fc9 from koji; no change. How reproducible: Always Steps to Reproduce: 1. Create /home/user/public_html/foo.cgi: #!/usr/bin/perl -w print "Content-Type: text/plain\r\n"; print "\r\n"; print "TEST"; 2. go to http://localhost/~user/foo.cgi Actual results: selinux denial (see below) Expected results: script works Additional info: setroubleshoot says: Summary: SELinux is preventing suexec (httpd_suexec_t) "getattr" to /home/bbaetz/public_html/foo.cgi (httpd_user_content_t). Detailed Description: SELinux denied access requested by suexec. It is not expected that this access is required by suexec and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /home/bbaetz/public_html/foo.cgi, restorecon -v '/home/bbaetz/public_html/foo.cgi' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:system_r:httpd_suexec_t:s0 Target Context unconfined_u:object_r:httpd_user_content_t:s0 Target Objects /home/bbaetz/public_html/foo.cgi [ file ] Source suexec Source Path /usr/sbin/suexec Port <Unknown> Host plum.home Source RPM Packages httpd-2.2.8-3 Target RPM Packages Policy RPM selinux-policy-3.3.1-51.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name plum.home Platform Linux plum.home 2.6.25-14.bb.fc9.x86_64 #1 SMP Wed May 14 13:18:19 EST 2008 x86_64 x86_64 Alert Count 1 First Seen Wed 14 May 2008 22:33:19 EST Last Seen Wed 14 May 2008 22:33:19 EST Local ID 0c717ee3-5248-4ac0-9090-339a524b5731 Line Numbers Raw Audit Messages host=plum.home type=AVC msg=audit(1210768399.417:111): avc: denied { getattr } for pid=12911 comm="suexec" path="/home/bbaetz/public_html/foo.cgi" dev=dm-0 ino=7990381 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=file host=plum.home type=SYSCALL msg=audit(1210768399.417:111): arch=c000003e syscall=6 success=no exit=-13 a0=7fff0ee34c37 a1=7fff0ee313e0 a2=7fff0ee313e0 a3=7fff0ee31130 items=0 ppid=12676 pid=12911 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="suexec" exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null) # getsebool -a | grep httpd allow_httpd_anon_write --> on allow_httpd_dbus_avahi --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> on httpd_builtin_scripting --> on httpd_can_network_connect --> on httpd_can_network_connect_db --> on httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_ssi_exec --> off httpd_tty_comm --> on httpd_unified --> on httpd_use_cifs --> off httpd_use_nfs --> off
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-52.fc9
That worked, although I had to repeat it several times to allow execute, read, execute_no_trans and ioctl That then works, but a slightly more complicated script fails to write to mysql.sock. I suspect that you've done this more generically, but your change hasn't hit cvsweb yet so I can't check. I'll pull the build off koji when it appears. Thanks for the quick response!
Hasn't even been built yet. I will build it later today. Please attach the entire audit.log so I am sure my fix would fix your problem
Created attachment 305364 [details] audit.log Attached. This includes me using a local bugzilla instance too - needed write/connect to the mysql socket and read from a few directories as well
With selinux-policy-targeted-3.3.1-55.fc9.noarch this is still failing: host=plum.home type=AVC msg=audit(1212464225.654:2382): avc: denied { getattr } for pid=23170 comm="suexec" path="/home/bbaetz/public_html/bugzilla/index.cgi" dev=dm-0 ino=15619979 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file host=plum.home type=SYSCALL msg=audit(1212464225.654:2382): arch=c000003e syscall=6 success=no exit=-13 a0=7fffeb2c9c3a a1=7fffeb2c6870 a2=7fffeb2c6870 a3=7fffeb2c65c0 items=0 ppid=23085 pid=23170 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec" exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null) and: host=plum.home type=AVC msg=audit(1212464467.443:2431): avc: denied { search } for pid=23458 comm="index.cgi" name="mysql" dev=dm-0 ino=1865954 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:mysqld_db_t:s0 tclass=dir host=plum.home type=SYSCALL msg=audit(1212464467.443:2431): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=7ffff9fa0ec0 a2=6e a3=7ffff9fa0290 items=0 ppid=23088 pid=23458 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="index.cgi" exe="/usr/bin/perl" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null)
Fixed in selinux-policy-3.3.1-66.fc9.noarch
Still broken in selinux-policy-3.3.1-67.fc9.noarch, and I don't see anything in the changelog matching this bug - same set of errors as in comment 2.
Seems like I hit the first one but missed the mysql one. You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-68.fc9.noarch
Nope. If I remove mypol again, I still get the original host=plum.home type=AVC msg=audit(1214307838.97:149): avc: denied { getattr } for pid=12588 comm="suexec" path="/home/bbaetz/public_html/bugzilla/index.cgi" dev=dm-0 ino=15619979 scontext=unconfined_u:system_r:httpd_suexec_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=file host=plum.home type=SYSCALL msg=audit(1214307838.97:149): arch=c000003e syscall=6 success=no exit=-13 a0=7fff9aaf7c2a a1=7fff9aaf4090 a2=7fff9aaf4090 a3=7fff9aaf3de0 items=0 ppid=12564 pid=12588 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="suexec" exe="/usr/sbin/suexec" subj=unconfined_u:system_r:httpd_suexec_t:s0 key=(null) error, as well as the followup set in the attachment. selinux-policy-3.3.1-70.fc9.noarch selinux-policy-devel-3.3.1-70.fc9.noarch selinux-policy-targeted-3.3.1-70.fc9.noarch All downloaded from koji. The mypol.te file generated from audit2allow includes: #============= httpd_suexec_t ============== allow httpd_suexec_t httpd_user_content_t:dir { read write add_name remove_name }; allow httpd_suexec_t httpd_user_content_t:file { rename execute setattr read create getattr execute_no_trans write ioctl unlink }; allow httpd_suexec_t mysqld_db_t:dir search; allow httpd_suexec_t mysqld_t:unix_stream_socket connectto; allow httpd_suexec_t mysqld_var_run_t:sock_file write;
This is still happening, selinux-policy-targeted-3.3.1-95.fc9.noarch
Same errors in current rawhide
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle. Changing version to '10'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Closing as closed in the current release.