Description: libffi goes to some effort to avoid triggering execmem denials if SELinux is enabled; creating a file in one of many locations (/dev/shm, /tmp, etc) which it can execute. This is apparently the recommended route. The httpd policy does not allow any of those methods to proceed. strace: open("/tmp/ffiUce9Wm", O_RDWR|O_CREAT|O_EXCL, 0600) = 24 unlink("/tmp/ffiUce9Wm") = 0 ftruncate(24, 4096) = 0 mmap(NULL, 4096, PROT_READ|PROT_EXEC, MAP_SHARED, 24, 0) = -1 EACCES (Permission denied) close(24) = 0 audit message: node=... type=AVC msg=audit(1252657526.240:43287): avc: denied { execute } for pid=2896 comm="httpd" path=2F7661722F746D702F66666952747A4E784F202864656C6574656429 dev=md0 ino=21174 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file libffi is used via the Python ctypes module; using an embedded Python interpreter with httpd is hardly uncommon and this should work by default; at very least we need a boolean for this. The sealert message indicates that enabling the "httpd_unified" boolean will help, but that doesn't make any difference.
Added httpd_tmp_exec to Rawhide. I think we want this disabled by default. Since allowing a php script to be able to write and execute content in /tmp would allow allow them an easier way to take over an apache server, I would think. I think we should prevent apache from writing and executing the same content. Although this might be a thin wall, since I could write content and then run an interpreter to execute the content. Setroubleshoot will say Summary: SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled files (php_uploads). Detailed Description: SELinux has denied httpd access to potentially mislabeled file(s) (php_uploads). This means that SELinux will not allow httpd to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want httpd to access this files, you need to relabel them using restorecon -v 'php_uploads'. You might want to relabel the entire directory using restorecon -R -v 'php_uploads'. Additional Information: Source Context unconfined_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:user_tmp_t:s0 Target Objects php_uploads [ dir ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host <Unknown> Source RPM Packages httpd-2.2.13-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.31-3.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.31-2.fc12.x86_64 #1 SMP Thu Sep 10 00:25:40 EDT 2009 x86_64 x86_64 Alert Count 2 First Seen Wed Sep 9 21:14:17 2009 Last Seen Wed Sep 9 21:02:46 2009 Local ID f5e701a4-59d4-4dbd-8efc-05c0e4828bda Line Numbers 206, 207, 208, 209 Raw Audit Messages type=AVC msg=audit(1252544566.389:90): avc: denied { write } for pid=11821 comm="httpd" name="php_uploads" dev=dm-1 ino=286797 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1252544566.389:90): arch=c000003e syscall=2 success=no exit=-13 a0=7fa0af9d3f78 a1=c2 a2=180 a3=0 items=0 ppid=11812 pid=11821 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Miroslav can we back port this fix?
Ok, I will do it.
Fixed in selinux-policy-3.6.12-93.fc11.noarch
selinux-policy-3.6.12-93.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/selinux-policy-3.6.12-93.fc11
selinux-policy-3.6.12-93.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2010-0446
selinux-policy-3.6.12-93.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.