Bug 519369 - merge policy needed for fastcgi with standard httpd policy
Summary: merge policy needed for fastcgi with standard httpd policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-26 11:26 UTC by Noa Resare
Modified: 2012-10-15 14:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:50:26 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Noa Resare 2009-08-26 11:26:25 UTC
Description of problem:
For fastcgi with mod_fcgid (available in EPEL) to work with the httpd_sys_script_t type in the default targeted policy some additional allow statements are needed.

This was previously handeled by a mod_fcgid-selinux subpackage, but recently
that subpackage was dropped and obsoleted.

Of course, it would be possible to go back to a pluggable selinux module that
provided the needed allow-statements with some rpm magic, but a cleaner solution would be if this could be solved by updating the system wide policy to include the needed permissions, since it is my understanding that they are available in the "upstream" targeted policy.

More specifically the statements

allow httpd_t httpd_var_run_t:dir setattr;
allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms };

are needed to be able to start mod_fcgid scripts.

Version-Release number of selected component (if applicable):
seliux-policy-targeted-2.4.6-203.el5

How reproducible:
always

Steps to Reproduce:
1. Try start a mod_fcgid script
2.
3.
  
Actual results:
Internal server error, socket related SELinux permission errors in syslog

Expected results:
No permissions errors, functioning script (as can be observed with setenforce 0)

Additional info:

I am not a RHEL customer, and this bug report is not a demand for unpaid support but an attempt at politely improving your offering and contribute feedback.

Comment 1 Paul Howarth 2009-08-27 12:23:33 UTC
The Fedora policy includes aliased types for httpd_fastcgi_* and the necessary additional rules to run mod_fcgid applications in the httpd_sys_script_t domain, which was discussed in Bug #462318 and an email exchange between me and Dan with subject "Easier to do via email." in Sept-Dec 2008. I thought everything had been merged in the EL 5.3 policy but it seems that isn't the case.

Comment 2 Daniel Walsh 2009-08-27 12:56:47 UTC
Fixed in selinux-policy-2.4.6-256.el5

Comment 3 Paul Howarth 2009-08-27 14:17:37 UTC
For the uninitiated, the latest EL-5 policy can usually be found here:

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Comment 4 Noa Resare 2009-08-28 07:41:05 UTC
Daniel, thank you for the quick response. I downloaded and installed selinux-policy-2.4.6-256.el5 with friends from the url Paul provided.

Unfortunately, I get a new set of avc: denied lines in my syslog when running my webapp using that policy:

Aug 28 05:05:55 gunnar kernel: type=1400 audit(1251428755.804:90): avc:  denied  { accept } for  pid=10517 comm="dispatch.fcgi" path="/var/run/mod_fcgid/9818.2" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket
Aug 28 05:05:55 gunnar kernel: type=1400 audit(1251428755.818:91): avc:  denied  { shutdown } for  pid=10517 comm="dispatch.fcgi" path="/var/run/mod_fcgid/9818.2" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket

If you upload the .src.rpm to -256 I can probably provide a tested patch.

Comment 5 Daniel Walsh 2009-08-28 13:21:22 UTC
I think I have the fix, but I will post the src.rpm on the next build

Fixed in selinux-policy-2.4.6-257.el5

Comment 6 Noa Resare 2009-08-31 12:57:01 UTC
Looking around at the referenced url above, I can not find any -257 version. If you make it available there I can take it for a test drive.

Comment 7 Paul Howarth 2009-09-08 15:41:46 UTC
257 policy is there now.

Comment 9 Noa Resare 2009-09-25 08:56:38 UTC
I can confirm that .257 indeed fix this problem. Thanks Daniel!

Comment 11 Paul Howarth 2010-02-19 12:05:28 UTC
To run trac with mod_fcgid, I needed:

logging_send_syslog_msg(httpd_sys_script_t)

I also think it would be useful to extend the scope of the httpd_can_sendmail boolean to allow httpd_sys_script_t scripts to send mail too. This is needed for trac and moin and probably lots of other stuff too.

With those rules in place I could run trac and moin under mod_fcgid with httpd_can_sendmail set and not need any additional policy rules.

Comment 12 Daniel Walsh 2010-02-19 12:26:53 UTC
	mta_send_mail(httpd_sys_script_t)

Is in Fedora 12 so I think we should add it along with logging_send_syslog_msg(httpd_sys_script_t)

Comment 13 Paul Howarth 2010-02-19 13:30:00 UTC
I think that these are also needed:

corenet_tcp_connect_smtp_port(httpd_sys_script_t)
corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)

this is so that CGI apps can use their own mail-sending modules rather than calling sendmail to do the mailing - the mta_send_mail interface doesn't seem to cover that.

Comment 14 Daniel Walsh 2010-02-19 13:36:31 UTC
Makes sense.

tunable_policy(`httpd_can_sendmail',`
	# allow httpd to connect to mail servers
	corenet_tcp_connect_smtp_port(httpd_t)
	corenet_sendrecv_smtp_client_packets(httpd_t)
	corenet_tcp_connect_pop_port(httpd_t)
	corenet_sendrecv_pop_client_packets(httpd_t)
	mta_send_mail(httpd_t)
	mta_signal(httpd_t)
	
	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
	corenet_tcp_connect_pop_port(httpd_sys_script_t)
	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
	mta_send_mail(httpd_sys_script_t)
	mta_signal(httpd_sys_script_t)
')

How does this look

Comment 15 Paul Howarth 2010-02-19 13:47:39 UTC
Looks OK but does EL-5 have corenet_sendrecv_*_client_packets?

Comment 16 Miroslav Grepl 2010-02-19 14:01:03 UTC
Yes. Ok I am going to add these changes to policy.

Comment 17 Miroslav Grepl 2010-02-19 17:16:54 UTC
Added to selinux-policy-2.4.6-275.el5

Comment 19 errata-xmlrpc 2010-03-30 07:50:26 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.