http AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm running http on a fully updated Centos 5 system.

httpd-2.2.3-43.el5.centos.3.x86_64

selinux-policy-2.4.6-279.el5_5.2.noarch

selinux-policy-targeted-2.4.6-279.el5_5.2.noarch

I'm trying to run a cgi script from a user directory.

With SELinux enabled I get the following error.

[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]

(13)Permission denied: exec of '/usr/sbin/suexec' failed

[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]

Premature end of script headers: survey.cgi

With SELinux in permissive mode I get the following AVC

Summary:

SELinux prevented httpd executing access to http files.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was

permitted due to permissive mode.]

SELinux prevented httpd executing access to http files. Ordinarily httpd is

allowed full access to all files labeled with http file context. This machine

has a tightened security policy with the httpd_unified turned off, this

requires

explicit labeling of all files. If a file is a cgi script it needs to be

labeled

with httpd_TYPE_script_exec_t in order to be executed. If it is read-only

content, it needs to be labeled httpd_TYPE_content_t, it is writable content.

it

needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can

use the chcon command to change these contexts. Please refer to the man page

"man httpd_selinux" or FAQ (http://fedora.redhat.com/docs/selinux-apache-fc3)

"TYPE" refers to one of "sys", "user" or "staff" or potentially other script

types.

Allowing Access:

Changing the "httpd_unified" boolean to true will allow this access:

"setsebool -P httpd_unified=1"

The following command will allow this access:

setsebool -P httpd_unified=1

Additional Information:

Source Context system_u:system_r:httpd_t

Target Context system_u:object_r:httpd_suexec_exec_t

Target Objects /usr/sbin/suexec [ file ]

Source suexec

Source Path /usr/sbin/suexec

Port <Unknown>

Host a.b.c.d

Source RPM Packages httpd-2.2.3-43.el5.centos.3

Target RPM Packages httpd-2.2.3-43.el5.centos.

Policy RPM selinux-policy-2.4.6-279.el5_5.2

Selinux Enabled True

Policy Type targeted

MLS Enabled True

Enforcing Mode Permissive

Plugin Name httpd_unified

Host Name a.b.c.d

Platform Linux a.b.c.d 2.6.18-194.17.4.el5

#1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64

Alert Count 2

First Seen Thu Dec 2 13:09:20 2010

Last Seen Thu Dec 2 13:33:32 2010

Local ID 4a26d013-6f04-4a0f-af21-760368cc9908

Line Numbers

Raw Audit Messages

host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {

execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec" dev=sda2

ino=1791541 scontext=system_u:system_r:httpd_t:s0

tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file

host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e

syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 a2=2abae37684d8

a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 gid=48 euid=0 suid=0

fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="suexec"

exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_t:s0 key=(null)

So it suggests "setsebool -P httpd_unified=1" will allow this access.

However getsebool -a | grep http gives

httpd_unified --> on

So it is allready on.

Thanks,

Tony

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux