Bug 625917 - Selinux prevents httpd from using gnupg
Summary: Selinux prevents httpd from using gnupg
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-20 19:37 UTC by rambler8
Modified: 2011-05-27 14:08 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.7.19-51.fc13 and selinux-policy-3.9.7-19.fc14
Clone Of:
Environment:
Last Closed: 2011-05-27 14:08:59 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
PHP script used to demonstrate problem (1.21 KB, text/plain)
2010-08-20 19:37 UTC, rambler8 		no flags Details
View All

Description rambler8 2010-08-20 19:37:32 UTC 
Created attachment 440021 [details]
PHP script used to demonstrate problem

Description of problem:

When selinux is in enforcing mode, php scripts run by apache cannot use gpg to encrypt data with a public key. 

However, when selinux is in permissive mode, these scripts can be run successfully.

The gpg.conf, keyrings, and working directory for gpg when used by these scripts is set to /var/www/.gnupg which has 

the context public_content_rw_t

The gpg seliux booleans are set as follows:
gpg_agent_env_file --> off
gpg_web_anon_write --> on
httpd_use_gpg --> on

The following entries appear in the audit.log when the script is run with selinux in permissive mode:

type=AVC msg=audit(1282322984.269:17104): avc:  denied  { search } for  pid=20983 comm="gpg" name="www" dev=dm-3 

ino=1867777 scontext=unconfined_u:system_r:gpg_web_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1282322984.269:17104): arch=c000003e syscall=21 success=no exit=-2 a0=17439e0 a1=4 

a2=34312e302e322d a3=5 items=0 ppid=7621 pid=20983 auid=0 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 

fsgid=489 tty=(none) ses=25 comm="gpg" exe="/usr/bin/gpg2" subj=unconfined_u:system_r:gpg_web_t:s0 key=(null)

type=AVC msg=audit(1282322984.395:17105): avc:  denied  { read } for  pid=20992 comm="gpg" name="random" 

dev=devtmpfs ino=3977 scontext=unconfined_u:system_r:gpg_web_t:s0 tcontext=system_u:object_r:random_device_t:s0 

tclass=chr_file

type=SYSCALL msg=audit(1282322984.395:17105): arch=c000003e syscall=21 success=yes exit=128 a0=3276466548 a1=4 a2=0 

a3=0 items=0 ppid=7621 pid=20992 auid=0 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=

(none) ses=25 comm="gpg" exe="/usr/bin/gpg2" subj=unconfined_u:system_r:gpg_web_t:s0 key=(null)

type=AVC msg=audit(1282322984.395:17106): avc:  denied  { read } for  pid=20992 comm="gpg" name="urandom" 

dev=devtmpfs ino=3978 scontext=unconfined_u:system_r:gpg_web_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 

tclass=chr_file

type=SYSCALL msg=audit(1282322984.395:17106): arch=c000003e syscall=21 success=yes exit=128 a0=3276466554 a1=4 a2=0 

a3=0 items=0 ppid=7621 pid=20992 auid=0 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=

(none) ses=25 comm="gpg" exe="/usr/bin/gpg2" subj=unconfined_u:system_r:gpg_web_t:s0 key=(null)

type=AVC msg=audit(1282322984.396:17107): avc:  denied  { open } for  pid=20992 comm="gpg" name="urandom" 

dev=devtmpfs ino=3978 scontext=unconfined_u:system_r:gpg_web_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 

tclass=chr_file

type=SYSCALL msg=audit(1282322984.396:17107): arch=c000003e syscall=2 success=yes exit=128 a0=3276466554 a1=0 a2=8 

a3=a1704184 items=0 ppid=7621 pid=20992 auid=0 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 

tty=(none) ses=25 comm="gpg" exe="/usr/bin/gpg2" subj=unconfined_u:system_r:gpg_web_t:s0 key=(null)




Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-47.fc13.noarch
selinux-policy-targeted-3.7.19-47.fc13.noarch




How reproducible: Always




Steps to Reproduce:
1. Install Fedora 13 with httpd, php, gnupg, and selinux + any dependencies using the default configurations
2. Install the Pear Crypt/GPG Module + any dependencies
3. run gpg --gen-key and use the following options:
	Type of key: (2) DSA and Elgamal
	Keysize: 2048
	How long the key should be valid: 0 = key does not expire
	Is this correct: y
	Real Name: Fedora Test User
	Email address: fedoratestuser
	Comment:
	Passphrase: Doesn't matter as long as its 8 characters and meets any other requirements
4. Optional: remove the secrete key for the key created in step 3 from the keyring. This is what we
             will be doing in production, but it is not necessary for demonstrating this bug
5. Copy the ~/.gnupg directory of the user who ran step 3 to /var/www/.gnupg
6. Change the ownership of the /var/www/.gnupg directory to owner root, group apache
7. Change the mode of the directory to 750 and the mode of all files in the directory to 640
8. Create a directory /var/www/.gnupg/scratch with owner root, group apache and mode 770 which will be used
   for temporary storage during the encryption process
9. change the context of /var/www/.gnupg and all its files and subfolders to public_content_rw_t
10. set the relavent selinux booleans as follows:
gpg_web_anon_write --> on
allow_httpd_anon_write --> on
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_gpg --> on
httpd_use_nfs --> off
11. Place the first attached file below on the file system where it can be run by apache
12. Use a web browser to open the url that points to where the file in step 12 is located




Actual results:

When selinux is in enforcing mode, the script aborts and the debugging output in the web page contains:

Crypt_GPG DEBUG: ERROR: gpg: keyblock resource `/var/www/.gnupg/secring.gpg': Permission denied
Crypt_GPG DEBUG: selecting streams
Crypt_GPG DEBUG: => got 1
Crypt_GPG DEBUG: GPG error stream ready for reading
Crypt_GPG DEBUG: => about to read 8192 bytes from GPG error
Crypt_GPG DEBUG: => read 72 bytes
Crypt_GPG DEBUG: ERROR: gpg: keyblock resource `/var/www/.gnupg/pubring.gpg': Permission denied
Crypt_GPG DEBUG: selecting streams
Crypt_GPG DEBUG: => got 1
Crypt_GPG DEBUG: GPG error stream ready for reading
Crypt_GPG DEBUG: => about to read 8192 bytes from GPG error
Crypt_GPG DEBUG: => read 67 bytes
Crypt_GPG DEBUG: ERROR: gpg: can't access `/var/www/.gnupg/trustdb.gpg': Permission denied
Crypt_GPG DEBUG: selecting streams
Crypt_GPG DEBUG: => got 1
Crypt_GPG DEBUG: GPG error stream ready for reading
Crypt_GPG DEBUG: => about to read 8192 bytes from GPG error
Crypt_GPG DEBUG: => read 47 bytes
Crypt_GPG DEBUG: ERROR: gpg: Fatal: can't init trustdb: Trust DB error


When selinux is in permissive mode, the script completes and displays both the Original Plain Text and Encrypted 

Data at the bottom of the page. However, their are entries in the /var/log/audit/audit.log file which indicate that 

selinux would have prevented gpg from being able to access the directory as well as the random and urandom character 

devices




Expected results:

When selinux is in enforcing mode, the script completes and displayes both the Original Plain Text and Encrypted 

Data at the bottom of th page. Also, there should be no failed or denied messages related to this operation in the 

/var/log/audit/audit.log file whether selinux is in enforcing mode or permissive mode.
Comment 1 rambler8 2010-08-20 19:49:58 UTC 
Correction to step 12 of steps to reproduce. It should be: 12. Use a web browser to open the url that points to where the file created in step 11
is located
Comment 2 Daniel Walsh 2010-08-21 10:56:20 UTC 
Miroslav please add

dev_read_rand(gpg_web_t)
dev_read_urand(gpg_web_t)

And add

	apache_search_sys_content($1)

to apache_manage_sys_content
Comment 3 Miroslav Grepl 2010-08-24 12:04:14 UTC 
Fixed in selinux-policy-3.7.19-50.fc13
Comment 4 rambler8 2010-08-25 00:52:05 UTC 
I downloaded and installed selinux-policy-3.7.19-50.fc13.noarch.rpm and  selinux-policy-targeted-3.7.19-50.fc13.noarch.rpm from  http://koji.fedoraproject.org/koji/buildinfo?buildID=191834

There is still seems to be a problem:

type=AVC msg=audit(1282696562.272:16644): avc:  denied  { search } for  pid=11150 comm="gpg" name="www" dev=dm-3 ino=1867777 scontext=system_u:system_r:gpg_web_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
Comment 5 Miroslav Grepl 2010-08-25 07:32:28 UTC 
You are right. Thanks for testing.

Fixed in selinux-policy-3.7.19-51.fc13. Packages will be available from koji today.
Comment 6 Fedora Update System 2010-08-25 15:36:02 UTC 
selinux-policy-3.7.19-51.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13
Comment 7 rambler8 2010-08-25 18:46:20 UTC 
I can confirm that the problem is fixed in selinux-policy-3.7.19-51.fc13. Thanks!
Comment 8 Fedora Update System 2010-08-26 00:58:48 UTC 
selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13
Comment 9 Miroslav Grepl 2010-08-26 08:03:11 UTC 
Could you update the karma. Thanks.

http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13
Comment 10 rambler8 2010-08-26 12:28:28 UTC 
(In reply to comment #9)
> Could you update the karma. Thanks.
> 
> http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13

Sure, I just did.

BTW, I had tried to do this yesterday, but was getting the following error:

500 Internal error

The server encountered an unexpected condition which prevented it from fulfilling the request.

Powered by CherryPy 2.3.0 


I think this is because I was leaving out the email address since I wasn't sure if it would be shown in public or not. Also, the captcha on the form is very difficult for humans to read.
Comment 11 Fedora Update System 2010-08-31 06:37:57 UTC 
selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 rambler8 2010-11-10 23:48:57 UTC 
After upgrading to Fedora 14, this issue is occuring again. The reason appears to be that Fedora 14 is still using the older selinux-policy packages:

selinux-policy-3.9.7-7.fc14.noarch
selinux-policy-targeted-3.9.7-7.fc14.noarch
Comment 13 Miroslav Grepl 2010-11-11 09:35:57 UTC 
What AVC are you seeing?
Comment 14 rambler8 2010-11-11 13:38:00 UTC 
The file contexts and SE booleans are the same as before. When selinux is set to permissive, these are the entries in the audit.log:


type=AVC msg=audit(1289481527.591:17960): avc:  denied  { search } for  pid=27981 comm="gpg" name="www" dev=dm-3 ino=1867777 scontext=system_u:system_r:gpg_web_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

type=SYSCALL msg=audit(1289481527.591:17960): arch=c000003e syscall=21 success=no exit=-2 a0=7f18f46402e0 a1=4 a2=7fffdbee9e90 a3=5 items=0 ppid=1630 pid=27981 auid=4294967295 uid=48 gid=489 euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) ses=4294967295 comm="gpg" exe="/usr/bin/gpg" subj=system_u:system_r:gpg_web_t:s0 key=(null)
Comment 15 Miroslav Grepl 2010-12-22 12:22:42 UTC 
Fixed in selinux-policy-3.9.7-19.fc14
Comment 16 rambler8 2010-12-23 00:20:59 UTC 
Tested and Confirmed fixed in selinux-policy-3.9.7-19.fc14

Thanks
Note You need to log in before you can comment on or make changes to this bug.