Bug 870428 - unable to run sudo commands from within httpd
unable to run sudo commands from within httpd
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.3
x86_64 Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-26 09:03 EDT by Tomasz Chilinski
Modified: 2012-12-14 05:46 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-14 05:46:21 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomasz Chilinski 2012-10-26 09:03:17 EDT
Description of problem:
It's unable to run commands from sudo while running them from httpd.
SELinux is in enforcing mode.
SELinux booleans:
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> on
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_setrlimit --> on
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off

Version-Release number of selected component (if applicable):
httpd-2.2.15-15.el6
sudo-1.7.4p5-13.el6_3

How reproducible:
I use the following simple shell script which I called /opt/own/reload:
#!/bin/bash
echo 'test'

Important line from my /etc/sudoers:
#Defaults    requiretty

/etc/sudoers.d/reload file:
apache  ALL = (ALL) ROLE=unconfined_r TYPE=unconfined_t NOPASSWD: /opt/own/reload

I have then following contents in example php script:
<?php
exec('sudo /opt/own/reload');
?>

Steps to Reproduce:
1. Use above settings and files with SELinux set to enforcing and you get:
/var/log/audit/audit.log:
type=USER_CMD msg=audit(1351255450.958:57497): user pid=7177 uid=0 auid=0 ses=162 subj=unconfined_u:system_r:httpd_t:s0 msg='cwd="/var/www/html/lms_admin" cmd=2F6F70742F6F776E2F72656C6F616420417A6574 terminal=? res=success'
/var/log/secure:
Oct 26 14:44:10 multinet-1-106 sudo:   apache : TTY=unknown ; PWD=/var/www/html/lms_admin ; USER=root ; COMMAND=/opt/own/reload
2. And while SELinux set to permissive you get:
/var/log/audit/audit.log:
type=USER_CMD msg=audit(1351255894.830:57515): user pid=7300 uid=0 auid=0 ses=162 subj=unconfined_u:system_r:httpd_t:s0 msg='cwd="/var/www/html/lms_admin" cmd=2F6F70742F6F776E2F72656C6F616420417A6574 terminal=? res=success'
type=USER_ROLE_CHANGE msg=audit(1351255894.831:57516): user pid=7301 uid=0 auid=0 ses=162 subj=unconfined_u:system_r:httpd_t:s0 msg='newrole: old-context=unconfined_u:system_r:httpd_t:s0 new-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_ACQ msg=audit(1351255894.832:57517): user pid=7301 uid=0 auid=0 ses=162 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1351255894.832:57518): user pid=7301 uid=0 auid=0 ses=162 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
/var/log/secure:
Oct 26 14:44:10 multinet-1-106 sudo:   apache : TTY=unknown ; PWD=/var/www/html/lms_admin ; USER=root ; COMMAND=/opt/own/reload
  
Actual results:
/opt/own/reload script is not runned while SELinux set to enforcing and
you don't get any messages neither in /var/log/audit/audit.log nor /var/log/secure files.
While SELinux set to permissive you get more messages, but any of them are not denials.

Expected results:
I should get error messages in enforcing mode and warnings in permissive mode or script has to run flawlessly.

Additional info:
Comment 2 Daniel Walsh 2012-11-28 10:44:23 EST
You can turn off dontaudit rules.

semodule -DB

Which will get you the AVC messages that are being denied.

This is a little tricky,
Comment 3 RHEL Product and Program Management 2012-12-14 03:17:17 EST
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 4 Miroslav Grepl 2012-12-14 05:46:21 EST
Closing this as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.