selinux doesn't prevent php fopen to remote 80/tcp

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,
If I understand documentation correctly, SELinux should prevent php
scripts (running via mod_php) from opening remote urls with fopen
function
by default, that is when httpd_can_network_connect --> off

Here are the links that confirm that behavior in the past:

http://www.php.net/manual/en/function.fopen.php#56551
https://bugzilla.redhat.com/show_bug.cgi?id=164700


I've installed and updated Fedora 15 with no selinux modifications:

[root@localhost ~]# cat /etc/redhat-release
Fedora release 15 (Lovelock)

[root@localhost ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 26
Policy from config file:        targeted

I've made three tests:
[root@localhost ~]# cat /var/www/html/marko1.php
<?php
$file = fopen ("http://www.example.com";, "r");
if (!$file) {
    echo "<p>Unable to open remote file.\n";
    exit;
}
while (!feof ($file)) {
    $line = fgets ($file, 1024);
        echo ($line);
}
fclose($file);
?>

[root@localhost ~]# cat /var/www/html/marko2.php
<?php
$file = fopen ("http://10.11.12.13:31254/";, "r");
if (!$file) {
    echo "<p>Unable to open remote file.\n";
    exit;
}
while (!feof ($file)) {
    $line = fgets ($file, 1024);
        echo ($line);
}
fclose($file);
?>

[root@localhost ~]# cat /var/www/html/marko3.php
<?php
exec ('wget http://www.example.com -O /tmp/example.html');
exec ('wget http://10.11.12.13:31254 -O /tmp/mail.html');
?>
IP 10.11.12.13 is a remote machine, with apache listening on tcp port 31254
and i can reach it with wget running under unconfined root account.

My httpd booleans are:

[root@localhost ~]# getsebool -a|grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
named_bind_http_port --> off

and semanage -o - gives:
boolean -D
boolean -1 httpd_builtin_scripting
login -D
login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
user -D
port -D
interface -D
node -D
fcontext -D

The problem is that opening marko1.php in browser gives me the html
found on http://www.example.com
and opening marko3.php produces the /tmp/example.html file on server
with the html found on http://www.example.com

The requests for http://10.11.12.13:31254/ both php's and wget-s, are
not successful and are logged logged like:
type=AVC msg=audit(1320370308.125:103): avc:  denied  { name_connect }
for  pid=1842 comm="wget" dest=31254
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=AVC msg=audit(1320370308.980:104): avc:  denied  { name_connect }
for  pid=1656 comm="httpd" dest=31254
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

mod_proxy is commented and not enabled (which is default in F15, AFAIK).

Am I missing something or has the documentation missed this little fact?  ;)

--
Marko Uskokovic
Mainstream d.o.o.
www.mainstream.rs
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux