Bug 448445 - Policy has no boolean to allow httpd to allow execmem for CGI
Policy has no boolean to allow httpd to allow execmem for CGI
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-05-26 18:40 EDT by John D. Ramsdell
Modified: 2008-07-03 14:30 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-07-02 15:14:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Policy to allow execmem for CGI scripts (439 bytes, text/plain)
2008-05-26 18:40 EDT, John D. Ramsdell
no flags Details
Script that creates /tmp file entry with type httpd_sys_content_rw_t (300 bytes, text/plain)
2008-07-03 11:09 EDT, John D. Ramsdell
no flags Details

  None (edit)
Description John D. Ramsdell 2008-05-26 18:40:15 EDT
Description of problem:

The policy shipped with Fedora 9 does not have a boolean that gives GGI scripts
execmem permission.  This mean I cannot run a Haskell program as CGI script on a
machine in enforcing mode.
Comment 1 John D. Ramsdell 2008-05-26 18:40:15 EDT
Created attachment 306712 [details]
Policy to allow execmem for CGI scripts
Comment 2 John D. Ramsdell 2008-05-27 13:52:39 EDT
I also notice that SELinux prevents tmpwatch (tmpreaper_t) "getattr" to
/tmp/cgiapp.pid (httpd_sys_content_rw_t). The file /tmp/cgiapp.pid is a lock
file created by a CGI script that ensures at most one copy of the big CGI
program is running at any time.  The program tmpwatch was trying to reap a lock
file left over after a crash.
Comment 3 Daniel Walsh 2008-07-02 15:14:44 EDT
I think allowing httpd_sys_script_t execmem calls for special policy, Either
write a wrapper for your cgi or load a custom policy to allow all scripts to

How did a httpd_sys_content_rw_t file get on /tmp?  Looks like it was moved there.
Need to either fix the label using chcon or remove it.  

Comment 4 John D. Ramsdell 2008-07-03 11:09:05 EDT
Created attachment 310931 [details]
Script that creates /tmp file entry with type httpd_sys_content_rw_t
Comment 5 John D. Ramsdell 2008-07-03 11:09:33 EDT
Thanks Dan.  I'm ahead of you on the custom policy.  The last release of my
application included the custom policy attached to this bug report.

The httpd_sys_content_rw_t file was created in /tmp by the CGI script.  It's a
lock file used to make only one copy of the program is running at a time.  The
SELinux policy determined the label.  I've enclosed the shell script that wraps
the a Python script that wraps the Haskell program.  The shell script enforces
the one-at-a-time rule.
Comment 6 Daniel Walsh 2008-07-03 11:36:10 EDT
My point was to create a haskell cgi script versus just adding a boolean to
httpd_sys_script_t.  Your method will allow all cgi scripts execmem, while if
you created httpd_haskell_script_t you would only allow it to scripts labeled

Current policy has roles to allow tmpreaper to delete these files

 sesearch --allow | grep tmpreaper | grep http
WARNING: This policy contained disabled aliases; they have been removed.
   allow tmpreaper_t httpd_sys_content_rw_t : file { getattr unlink }; 
   allow tmpreaper_t httpd_sys_content_rw_t : dir { ioctl write getattr lock
remove_name search rmdir }; 
   allow tmpreaper_t httpd_sys_content_rw_t : lnk_file { getattr unlink }; 
   allow tmpreaper_t httpd_sys_content_rw_t : sock_file { getattr unlink }; 
   allow tmpreaper_t httpd_sys_content_rw_t : fifo_file { getattr unlink }; 
Comment 7 John D. Ramsdell 2008-07-03 14:30:20 EDT
Your right.  Your version of the policy is superior to mine.  My desktop machine
is within my company's firewalls, so I normally run Fedora on my desktop in
permissive mode.  I now have cause to use enforcing mode for a project unrelated
to the one using the web server.  The goal of the policy I wrote was to quickly
enable work on the other project while preserving the desktop's ability to run
my CGI scripts.  I was not guided by the principle of least privilege.

I found a reward when running in permissive mode without my policy module
loaded.  Whenever my CGI script runs, setroubleshoot alerts me to this fact.  I
learned to appreciate and use the realtime reports sent to me using an easy to
use mechanism that required no setup.  Since I can usually guess who's using the
server, I know when to appear in that person's office, and be sure my program
will be a good topic for discussion. These timely discussions have led to
several improvements in the program.  I bet this is a way of using
setroubleshoot no one thought of beforehand!

Note You need to log in before you can comment on or make changes to this bug.