selinux, httpd and sudo

Tom Diehl <tdiehl@xxxxxxxxxxxx> · Sun, 5 Mar 2006 11:16:14 -0500 (EST)

Hi all,

I have an el4 machine that I am trying to get a shell script working from a
php page with sudo. I can su to apache and execute the script using sudo but
when I try to execute the script from the php page I get the following avc's:

type=AVC msg=audit(1141573880.162:1935): avc:  denied  { setrlimit } for  pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
type=SYSCALL msg=audit(1141573880.162:1935): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fbffff9a0 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.164:1936): avc:  denied  { read } for  pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
type=SYSCALL msg=audit(1141573880.164:1936): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=1 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=CWD msg=audit(1141573880.164:1936):  cwd="/var/www/adddomain"
type=PATH msg=audit(1141573880.164:1936): name="/etc/shadow" flags=101  inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141573880.165:1937): avc:  denied  { read } for  pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
type=SYSCALL msg=audit(1141573880.165:1937): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=4 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=CWD msg=audit(1141573880.165:1937):  cwd="/var/www/adddomain"
type=PATH msg=audit(1141573880.165:1937): name="/etc/shadow" flags=101  inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141573880.165:1938): avc:  denied  { create } for  pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=netlink_route_socket
type=SYSCALL msg=audit(1141573880.165:1938): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=7fbfffe901 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.166:1939): avc:  denied  { setgid } for  pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.166:1939): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffff a1=30 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.167:1940): avc:  denied  { setuid } for  pid=29788 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.167:1940): arch=c000003e syscall=117 success=yes exit=0 a0=30 a1=30 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=48 suid=0 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.167:1941): avc:  denied  { setgid } for  pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.167:1941): arch=c000003e syscall=119 success=no exit=-1 a0=ffffffff a1=0 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"

If I am reading these correctly, it appears that selinux is stopping sudo from
executing the commands. Is there a way to get this to work without making the
system insecure. The script is restricted to internal use but there are 
publicly accessible websites hosted on the machine.

Regards,

Tom

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list