Fwd: Re: http AVC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



---------- Forwarded Message ----------

Subject: Re: http AVC

Date: Thursday 02 December 2010, 17:21:25

From: Daniel J Walsh <dwalsh@xxxxxxxxxx>

To: Tony Molloy <tony.molloy@xxxxx>

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

On 12/02/2010 12:15 PM, Tony Molloy wrote:

> On Thursday 02 December 2010 15:04:24 you wrote:

>> On 12/02/2010 09:35 AM, Tony Molloy wrote:

>>> Hi,

>>>

>>> I'm running http on a fully updated Centos 5 system.

>>>

>>> httpd-2.2.3-43.el5.centos.3.x86_64

>>> selinux-policy-2.4.6-279.el5_5.2.noarch

>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch

>>>

>>>

>>> I'm trying to run a cgi script from a user directory.

>>>

>>> With SELinux enabled I get the following error.

>>>

>>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]

>>>

>>> (13)Permission denied: exec of '/usr/sbin/suexec' failed

>>>

>>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]

>>>

>>> Premature end of script headers: survey.cgi

>>>

>>> With SELinux in permissive mode I get the following AVC

>>>

>>> Summary:

>>>

>>> SELinux prevented httpd executing access to http files.

>>>

>>> Detailed Description:

>>>

>>> [SELinux is in permissive mode, the operation would have been denied but

>>> was permitted due to permissive mode.]

>>>

>>> SELinux prevented httpd executing access to http files. Ordinarily httpd

>>> is allowed full access to all files labeled with http file context. This

>>> machine has a tightened security policy with the httpd_unified turned

>>> off, this requires

>>> explicit labeling of all files. If a file is a cgi script it needs to be

>>> labeled

>>> with httpd_TYPE_script_exec_t in order to be executed. If it is read-only

>>> content, it needs to be labeled httpd_TYPE_content_t, it is writable

>>> content. it

>>> needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You

>>> can use the chcon command to change these contexts. Please refer to the

>>> man page "man httpd_selinux" or FAQ

>>> (http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one

>>> of "sys", "user" or "staff" or potentially other script types.

>>>

>>> Allowing Access:

>>>

>>> Changing the "httpd_unified" boolean to true will allow this access:

>>> "setsebool -P httpd_unified=1"

>>>

>>> The following command will allow this access:

>>>

>>> setsebool -P httpd_unified=1

>

>>> Raw Audit Messages

>>>

>>> host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {

>>> execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec"

>>> dev=sda2 ino=1791541 scontext=system_u:system_r:httpd_t:s0

>>> tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file

>>>

>>> host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e

>>> syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90

>>> a2=2abae37684d8 a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48

>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none)

>>> ses=4294967295 comm="suexec" exe="/usr/sbin/suexec"

>>> subj=system_u:system_r:httpd_t:s0 key=(null)

>>>

>>>

>>> So it suggests "setsebool -P httpd_unified=1" will allow this access.

>>>

>>> However getsebool -a | grep http gives

>>> httpd_unified --> on

>>>

>>> So it is allready on.

>>>

>>>

>>> Thanks,

>>>

>>> Tony

>>

>> Do you have httpd_suexec_disable_trans turned on?

>

>

> Yep

>

> getsebool -a | grep http

>

> httpd_suexec_disable_trans --> on

> httpd_enable_cgi --> on

>

>

> Tony

>

>

> >

>Turn the httpd_suexec_disable_trans off

>setsebool -P httpd_suexec_disable_trans 0

>ANd I bet it will work

OK I'll try that, but I won't be able to test it until tomorrow morning.

I'll let you know what happens.

Thanks,

Tony

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.11 (GNU/Linux)

Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz31ZUACgkQrlYvE4MpobPhRQCeNTeiAI98Szsc1dVmFpP0SynC

RkMAnRlIiPwYqUYzhdbtGv5Hav8N+Ngk

=x3GH

-----END PGP SIGNATURE-----

-----------------------------------------

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux