Bug 909345 - CGI script cannot connect to Postgresql
Summary: CGI script cannot connect to Postgresql
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-08 15:30 UTC by hristo ivanov
Modified: 2013-03-04 08:38 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-03 22:41:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description hristo ivanov 2013-02-08 15:30:06 UTC 
Description of problem:
Httpd can no longer connect to Postgresql. I have a CGI script labeled with type httpd_script_exec_t. In the past, this was enough to let httpd connect to postgresql database (Fedora < 16). Right now, the labeling of the file is not enough. Here is some additional information:

# getsebool -a | grep httpd |grep " --> on"
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> on
httpd_can_sendmail --> on
httpd_enable_cgi --> on
httpd_graceful_shutdown --> on

In addition to the above, the following test policies were loaded (the first one generated from audit2allow, the second one from bug #830764):

<<< policy local >>>
module local 1.0;

require {
        type httpd_sys_script_t;
        type postgresql_var_run_t;
        class dir search;
}

#============= httpd_sys_script_t ==============
#!!!! This avc is allowed in the current policy

allow httpd_sys_script_t postgresql_var_run_t:dir search;

<<< policy postgresql_httpd >>>
module httpd_postgresql 1.0;

require {
        class sock_file write;

        type httpd_t;
        type postgresql_tmp_t;
};

allow httpd_t postgresql_tmp_t:sock_file write;


	



Version-Release number of selected component (if applicable):

libmicrohttpd-0.9.22-1.fc18.x86_64
httpd-2.4.3-12.fc18.x86_64
httpd-tools-2.4.3-12.fc18.x86_64

postgresql-pgpool-II-devel-3.2.0-1.fc18.x86_64
postgresql-plruby-doc-0.5.3-7.fc18.x86_64
postgresql-pltcl-9.2.2-1.fc18.x86_64
postgresql-contrib-9.2.2-1.fc18.x86_64
postgresql-libs-9.2.2-1.fc18.x86_64
postgresql-dbi-link-2.0.0-8.fc18.noarch
postgresql-odbc-09.01.0200-1.fc18.x86_64
postgresql-devel-9.2.2-1.fc18.x86_64
postgresql-9.2.2-1.fc18.x86_64
postgresql-pgpool-II-3.2.0-1.fc18.x86_64
postgresql-plperl-9.2.2-1.fc18.x86_64
postgresql-server-9.2.2-1.fc18.x86_64
postgresql-plparrot-0.05-2.fc18.x86_64
postgresql-jdbc-9.2.1002-1.fc18.noarch
postgresql-table_log-0.4.4-12.fc18.x86_64
qt-postgresql-4.8.4-6.fc18.x86_64
postgresql-plpython-9.2.2-1.fc18.x86_64
postgresql-plruby-0.5.3-7.fc18.x86_64
postgresql_autodoc-1.40-2.fc14.noarch
postgresql-upgrade-9.2.2-1.fc18.x86_64
postgresql-pgpoolAdmin-3.1.1-2.fc18.noarch
postgresql-docs-9.2.2-1.fc18.x86_64
postgresql-pgpool-II-recovery-3.2.0-1.fc18.x86_64
postgresql-ip4r-1.05-4.fc18.x86_64

selinux-policy-devel-3.11.1-73.fc18.noarch
selinux-policy-3.11.1-73.fc18.noarch
selinux-policy-doc-3.11.1-73.fc18.noarch
selinux-policy-targeted-3.11.1-73.fc18.noarch


How reproducible:
Always

Steps to Reproduce:
1. Create a cgi script that connects to postgresql (any will do)
2. Change context to httpd_sys_script_exec_t
3. Access the script from outside
  
Actual results:
The following AVC messages are generated:
type=SYSCALL msg=audit(1360333256.583:31686): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=25fe8a0 a2=6e a3=7fffc346b2b0 items=0 ppid=27429 pid=30242 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="rv.cgi" exe="/var/www/html/rv/ws/rv.cgi" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

(not fixed)

type=AVC msg=audit(1360333256.583:31686): avc:  denied  { search } for  pid=30242 comm="rv.cgi" name="postgresql" dev="tmpfs" ino=15079 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:postgresql_var_run_t:s0 tclass=dir
(fixed with the local policy)

Expected results:
No AVC messages, the script should be allowed to connect to the database after all of the above set up.

Additional info:
I think this is a SeLinux policy problem since changing the script type to httpd_unconfined_script_exec_t did fix the problem.
Comment 1 Joe Orton 2013-02-22 12:39:34 UTC 
The httpd_selinux man page implies that the httpd_can_network_connect_db boolean should enable database access from CGI scripts; a policy bug?
Comment 2 Miroslav Grepl 2013-02-22 13:02:39 UTC 
Yes, it looks so. It should work.
Comment 3 Daniel Walsh 2013-02-22 14:05:52 UTC 
a87c91b29ca422b6fe0465f85fb03fbb0a93bd8d fixes this in Rawhide.
Comment 4 hristo ivanov 2013-02-22 20:49:06 UTC 
How can I test this?

I think this is a problem with the Postgres socket connection. I am not completely sure, though, and I don't know how can I debug this. Please tell me if any additional information is needed.
Comment 5 Miroslav Grepl 2013-02-25 11:49:48 UTC 
Backported to F18. A new F18 build is coming these days.
Comment 6 Fedora Update System 2013-03-01 13:03:06 UTC 
selinux-policy-3.11.1-82.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-82.fc18
Comment 7 Fedora Update System 2013-03-02 20:14:11 UTC 
Package selinux-policy-3.11.1-82.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-82.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3309/selinux-policy-3.11.1-82.fc18
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2013-03-03 22:41:33 UTC 
selinux-policy-3.11.1-82.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 hristo ivanov 2013-03-04 08:38:21 UTC 
Problem fixed. Thank you for the prompt reaction.
Note You need to log in before you can comment on or make changes to this bug.