Bug 566557 - cgi scripts on nfs will not run
Summary: cgi scripts on nfs will not run
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.4
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 580568
TreeView+ depends on / blocked
 
Reported: 2010-02-18 19:42 UTC by Jason M. Nielsen
Modified: 2012-10-15 14:52 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 580568 (view as bug list)
Environment:
Last Closed: 2010-03-30 07:51:08 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Jason M. Nielsen 2010-02-18 19:42:05 UTC 
Not sure if this is a "bug" but it might be more of a feature request or existing feature enhancement...

Description of problem:I have user home dirs and public_html dirs on a nfs mount. All of this works fine with the appropriate booleans toggled. Each of the users also needs a cgi-bin directory which also resides on the same nfs mount. When this is attempted an AVC denial occurs.  Seems like httpd_use_nfs would include this or perhaps another boolean.

Version-Release number of selected component (if applicable):
libselinux-1.33.4-5.5.el5
libselinux-utils-1.33.4-5.5.el5
selinux-policy-targeted-2.4.6-255.el5
libselinux-1.33.4-5.5.el5
libselinux-python-1.33.4-5.5.el5
selinux-policy-2.4.6-255.el5
selinux-policy-devel-2.4.6-255.el5


How reproducible:
Create a simple perl script. Setup nfs mounted user public_html dirs and setup cgi-bin apache functionality there. Hit the cgi via a web browser.

  
Actual results:
type=AVC msg=audit(1266510273.811:104938): avc:  denied  { entrypoint } for  pid=4046 comm="httpd" path="/var/www/public_html/jnielsen/cgi-bin/test0.pl" dev=0:16 ino=142233 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:nfs_t:s0 tclass=file


Expected results:
CGI executes.

Additional info: I spoke to dgrift on freenoe #selinux and they seemed to think it was odd what the script was running as and this might be a bug or perhaps I misunderstood.
Comment 1 Daniel Walsh 2010-02-18 21:17:20 UTC 
Miroslav,

You need

fs_nfs_entry_type(httpd_sys_script_t)
fs_cifs_entry_type(httpd_sys_script_t)
in apache.te

Both for F12 and RHEL5.5

########################################
## <summary>
##	Make general progams in nfs an entrypoint for
##	the specified domain.
## </summary>
## <param name="domain">
##	<summary>
##	The domain for which nfs_t is an entrypoint.
##	</summary>
## </param>
#
interface(`fs_nfs_entry_type',`
	gen_require(`
		type nfs_t;
	')

	domain_entry_file($1, nfs_t)
')

########################################
## <summary>
##	Make general progams in cifs an entrypoint for
##	the specified domain.
## </summary>
## <param name="domain">
##	<summary>
##	The domain for which cifs_t is an entrypoint.
##	</summary>
## </param>
#
interface(`fs_cifs_entry_type',`
	gen_require(`
		type cifs_t;
	')

	domain_entry_file($1, cifs_t)
')
 in filesystem.if
Comment 2 Miroslav Grepl 2010-02-22 10:54:44 UTC 
Fixed in selinux-policy-2.4.6-275.el5
Comment 7 errata-xmlrpc 2010-03-30 07:51:08 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html
Note You need to log in before you can comment on or make changes to this bug.