Bug 483524 - RFE: denial when httpd_enable_cgi Boolean is on, but script is labeled incorrectly
RFE: denial when httpd_enable_cgi Boolean is on, but script is labeled incorr...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-02 02:24 EST by Murray McAllister
Modified: 2015-01-04 17:35 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-13 10:55:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux denial when script is labeled httpd_sys_script_exec_t, but httpd_enable_cgi Boolean is off (2.54 KB, text/plain)
2009-02-02 02:28 EST, Murray McAllister
no flags Details

  None (edit)
Description Murray McAllister 2009-02-02 02:24:54 EST
Description of problem:

When httpd.conf is configured to serve/execute CGI scripts, the httpd_enable_cgi Boolean is on, but the CGI script in question is not labeled correctly, no SELinux denials occur, potentially making it hard to troubleshoot issues.

Version-Release number of selected component (if applicable):

selinux-policy-3.5.13-40.fc10.noarch
selinux-policy-targeted-3.5.13-40.fc10.noarch
httpd-2.2.10-2.i386

How reproducible:

Always.

Steps to Reproduce:

1. Edit /etc/httpd/conf/httpd.conf to allow CGI scripts:
 * uncomment the "AddHandler cgi-script .cgi" option.
 * add "ExecCGI" to the "Options" section of the "<Directory "/var/www/html">" directive.
2. Download the <http://www.stanford.edu/services/web/cgi/examples/printenv.pl> script. Copy the script to /var/www/html/ and add .cgi to the file name: mv printenv.pl printenv.pl.cgi.
3. Change the mode of printenv.pl.cgi: chmod a+x printenv.pl.cgi
4. setsebool httpd_enable_cgi on
5. confirm the type is wrong (httpd_sys_content_t):
$ ls -lZ /var/www/html/printenv.pl.cgi 
-rwxr-xr-x  root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/printenv.pl.cgi
6. service httpd start
7. use Firefox to navigate to http://localhost/printenv.pl.cgi
  
Actual results:

Firefox displays the following error:

"Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, root@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log."

No SELinux denial. The following error is logged to /var/log/httpd/error_log

(13)Permission denied: exec of '/var/www/html/printenv.pl.cgi' failed

Expected results:

Told to:

chcon -t httpd_sys_script_exec_t /path/to/script

Additional info:

Denial occurs when script is labeled with the httpd_sys_script_exec_t type, and the httpd_enable_cgi Boolean is off.
Comment 1 Murray McAllister 2009-02-02 02:28:56 EST
Created attachment 330589 [details]
SELinux denial when script is labeled httpd_sys_script_exec_t, but httpd_enable_cgi Boolean is off
Comment 2 Daniel Walsh 2009-02-02 10:15:15 EST
All apache gets is eperm, which tells it to put that message in the log file.

It does not know if this is a DAC Problem or a MAC problem.

Setroubleshoot is supposed to step in an try to help the user.

Note You need to log in before you can comment on or make changes to this bug.