Bug 974313 - nodejs segfaults when used with SELinux enforcing and setsebool httpd_execmem off
Summary: nodejs segfaults when used with SELinux enforcing and setsebool httpd_execmem...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: nodejs
Version: rawhide
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: T.C. Hollingsworth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-13 23:24 UTC by Joe Honton
Modified: 2013-06-14 01:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-06-14 01:24:58 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Joe Honton 2013-06-13 23:24:41 UTC 
Description of problem:
nodejs segfaults when used with SELinux enforcing and setsebool httpd_execmem off. Instead of segfaulting, it should issue an AVC denial.

Version-Release number of selected component (if applicable):
0.10.6-1.fc20

How reproducible:
Run a PHP script using Apache such as:
<?php shell_exec( "/usr/bin/node /var/www/virtual-hosts/example.com/bin/topojson -p -o /tmp/outfile /tmp/infile" ); ?>

Steps to Reproduce:
1. # setenforce 1
2. # setsebool httpd_execmem off
3. Run a PHP script using Apache: <?php shell_exec( "/usr/bin/node /var/www/virtual-hosts/example.com/bin/topojson -p -o /tmp/outfile /tmp/infile" ); ?>

Actual results:
/var/log/messages contains this message:
Jun 13 14:30:32 ce008 kernel: [4067406.839668] node[27735]: segfault at 20 ip 00007f14cf27905f sp 00007fffb431eda0 error 4 in libv8.so.3.14.5[7f14cef2c000+54f000]


Expected results:
/var/log/messages should contain a SELinux AVC denial message referencing "execmem" to give us a clue to enable httpd_execmem.


Additional info:
Apache 2.2.23-1.fc17
PHP 5.4.14-1.fc17 
selinux-policy.noarch 3.10.0-167.fc17
topojson github commit 7d07ec67a62ca57dbfd4472cb2a8bbc6fe8bd2f5
Comment 1 T.C. Hollingsworth 2013-06-14 01:24:58 UTC 
This works for me:

% cat /var/www/html/nodetest.php 
<?php 
header("Content-Type: text/plain");
system("/usr/bin/node -pe process.version");

% sudo getsebool httpd_execmem
httpd_execmem --> off

% curl http://localhost/nodetest.php               

% sudo ausearch -m avc -ts recent
----
time->Thu Jun 13 18:20:27 2013
type=SYSCALL msg=audit(1371172827.650:870): arch=c000003e syscall=9 success=no exit=-13 a0=3d57a8f77000 a1=1000 a2=7 a3=22 items=0 ppid=6700 pid=6886 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="node" exe="/usr/bin/node" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1371172827.650:870): avc:  denied  { execmem } for  pid=6886 comm="node" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
----
time->Thu Jun 13 18:20:27 2013
type=SYSCALL msg=audit(1371172827.650:869): arch=c000003e syscall=9 success=no exit=-13 a0=3dd9286f000 a1=1000 a2=7 a3=32 items=0 ppid=6700 pid=6886 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="node" exe="/usr/bin/node" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1371172827.650:869): avc:  denied  { execmem } for  pid=6886 comm="node" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

% sudo setsebool httpd_execmem on

% curl http://localhost/nodetest.php               
v0.10.10

I'm not sure why you're not getting an AVC.  You appear to be using a Rawhide nodejs on F17??  That is...unsupported...to say the least.  We don't support nodejs on F17 at all due to its OpenSSL not being compatible.

Please let us know if you can reproduce on F18 or later.
Note You need to log in before you can comment on or make changes to this bug.