Description of problem: For fastcgi with mod_fcgid (available in EPEL) to work with the httpd_sys_script_t type in the default targeted policy some additional allow statements are needed. This was previously handeled by a mod_fcgid-selinux subpackage, but recently that subpackage was dropped and obsoleted. Of course, it would be possible to go back to a pluggable selinux module that provided the needed allow-statements with some rpm magic, but a cleaner solution would be if this could be solved by updating the system wide policy to include the needed permissions, since it is my understanding that they are available in the "upstream" targeted policy. More specifically the statements allow httpd_t httpd_var_run_t:dir setattr; allow httpd_sys_script_t httpd_t:unix_stream_socket { rw_stream_socket_perms }; are needed to be able to start mod_fcgid scripts. Version-Release number of selected component (if applicable): seliux-policy-targeted-2.4.6-203.el5 How reproducible: always Steps to Reproduce: 1. Try start a mod_fcgid script 2. 3. Actual results: Internal server error, socket related SELinux permission errors in syslog Expected results: No permissions errors, functioning script (as can be observed with setenforce 0) Additional info: I am not a RHEL customer, and this bug report is not a demand for unpaid support but an attempt at politely improving your offering and contribute feedback.
The Fedora policy includes aliased types for httpd_fastcgi_* and the necessary additional rules to run mod_fcgid applications in the httpd_sys_script_t domain, which was discussed in Bug #462318 and an email exchange between me and Dan with subject "Easier to do via email." in Sept-Dec 2008. I thought everything had been merged in the EL 5.3 policy but it seems that isn't the case.
Fixed in selinux-policy-2.4.6-256.el5
For the uninitiated, the latest EL-5 policy can usually be found here: http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Daniel, thank you for the quick response. I downloaded and installed selinux-policy-2.4.6-256.el5 with friends from the url Paul provided. Unfortunately, I get a new set of avc: denied lines in my syslog when running my webapp using that policy: Aug 28 05:05:55 gunnar kernel: type=1400 audit(1251428755.804:90): avc: denied { accept } for pid=10517 comm="dispatch.fcgi" path="/var/run/mod_fcgid/9818.2" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket Aug 28 05:05:55 gunnar kernel: type=1400 audit(1251428755.818:91): avc: denied { shutdown } for pid=10517 comm="dispatch.fcgi" path="/var/run/mod_fcgid/9818.2" scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=unix_stream_socket If you upload the .src.rpm to -256 I can probably provide a tested patch.
I think I have the fix, but I will post the src.rpm on the next build Fixed in selinux-policy-2.4.6-257.el5
Looking around at the referenced url above, I can not find any -257 version. If you make it available there I can take it for a test drive.
257 policy is there now.
I can confirm that .257 indeed fix this problem. Thanks Daniel!
To run trac with mod_fcgid, I needed: logging_send_syslog_msg(httpd_sys_script_t) I also think it would be useful to extend the scope of the httpd_can_sendmail boolean to allow httpd_sys_script_t scripts to send mail too. This is needed for trac and moin and probably lots of other stuff too. With those rules in place I could run trac and moin under mod_fcgid with httpd_can_sendmail set and not need any additional policy rules.
mta_send_mail(httpd_sys_script_t) Is in Fedora 12 so I think we should add it along with logging_send_syslog_msg(httpd_sys_script_t)
I think that these are also needed: corenet_tcp_connect_smtp_port(httpd_sys_script_t) corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t) this is so that CGI apps can use their own mail-sending modules rather than calling sendmail to do the mailing - the mta_send_mail interface doesn't seem to cover that.
Makes sense. tunable_policy(`httpd_can_sendmail',` # allow httpd to connect to mail servers corenet_tcp_connect_smtp_port(httpd_t) corenet_sendrecv_smtp_client_packets(httpd_t) corenet_tcp_connect_pop_port(httpd_t) corenet_sendrecv_pop_client_packets(httpd_t) mta_send_mail(httpd_t) mta_signal(httpd_t) corenet_tcp_connect_smtp_port(httpd_sys_script_t) corenet_sendrecv_smtp_client_packets(httpd_sys_script_t) corenet_tcp_connect_pop_port(httpd_sys_script_t) corenet_sendrecv_pop_client_packets(httpd_sys_script_t) mta_send_mail(httpd_sys_script_t) mta_signal(httpd_sys_script_t) ') How does this look
Looks OK but does EL-5 have corenet_sendrecv_*_client_packets?
Yes. Ok I am going to add these changes to policy.
Added to selinux-policy-2.4.6-275.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html