On 11/04/2011 01:46 AM, Marko Uskoković wrote: > Hello, > If I understand documentation correctly, SELinux should prevent php > scripts (running via mod_php) from opening remote urls with fopen > function > by default, that is when httpd_can_network_connect --> off > > Here are the links that confirm that behavior in the past: > > http://www.php.net/manual/en/function.fopen.php#56551 > https://bugzilla.redhat.com/show_bug.cgi?id=164700 > > > I've installed and updated Fedora 15 with no selinux modifications: > > [root@localhost ~]# cat /etc/redhat-release > Fedora release 15 (Lovelock) > > [root@localhost ~]# sestatus > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: enforcing > Policy version: 26 > Policy from config file: targeted > > I've made three tests: > [root@localhost ~]# cat /var/www/html/marko1.php > <?php > $file = fopen ("http://www.example.com";, "r"); > if (!$file) { > echo "<p>Unable to open remote file.\n"; > exit; > } > while (!feof ($file)) { > $line = fgets ($file, 1024); > echo ($line); > } > fclose($file); > ?> > > [root@localhost ~]# cat /var/www/html/marko2.php > <?php > $file = fopen ("http://10.11.12.13:31254/";, "r"); > if (!$file) { > echo "<p>Unable to open remote file.\n"; > exit; > } > while (!feof ($file)) { > $line = fgets ($file, 1024); > echo ($line); > } > fclose($file); > ?> > > [root@localhost ~]# cat /var/www/html/marko3.php > <?php > exec ('wget http://www.example.com -O /tmp/example.html'); > exec ('wget http://10.11.12.13:31254 -O /tmp/mail.html'); > ?> > IP 10.11.12.13 is a remote machine, with apache listening on tcp port 31254 > and i can reach it with wget running under unconfined root account. > > My httpd booleans are: > > [root@localhost ~]# getsebool -a|grep http > allow_httpd_anon_write --> off > allow_httpd_mod_auth_ntlm_winbind --> off > allow_httpd_mod_auth_pam --> off > allow_httpd_sys_script_anon_write --> off > httpd_builtin_scripting --> on > httpd_can_check_spam --> off > httpd_can_network_connect --> off > httpd_can_network_connect_cobbler --> off > httpd_can_network_connect_db --> off > httpd_can_network_memcache --> off > httpd_can_network_relay --> off > httpd_can_sendmail --> off > httpd_dbus_avahi --> off > httpd_enable_cgi --> on > httpd_enable_ftp_server --> off > httpd_enable_homedirs --> off > httpd_execmem --> off > httpd_read_user_content --> off > httpd_setrlimit --> off > httpd_ssi_exec --> off > httpd_tmp_exec --> off > httpd_tty_comm --> on > httpd_unified --> off > httpd_use_cifs --> off > httpd_use_gpg --> off > httpd_use_nfs --> off > named_bind_http_port --> off > > and semanage -o - gives: > boolean -D > boolean -1 httpd_builtin_scripting > login -D > login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__ > login -a -s unconfined_u -r 's0-s0:c0.c1023' root > login -a -s system_u -r 's0-s0:c0.c1023' system_u > user -D > port -D > interface -D > node -D > fcontext -D > > The problem is that opening marko1.php in browser gives me the html > found on http://www.example.com > and opening marko3.php produces the /tmp/example.html file on server > with the html found on http://www.example.com > > The requests for http://10.11.12.13:31254/ both php's and wget-s, are > not successful and are logged logged like: > type=AVC msg=audit(1320370308.125:103): avc: denied { name_connect } > for pid=1842 comm="wget" dest=31254 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > type=AVC msg=audit(1320370308.980:104): avc: denied { name_connect } > for pid=1656 comm="httpd" dest=31254 > scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket > > mod_proxy is commented and not enabled (which is default in F15, AFAIK). > > Am I missing something or has the documentation missed this little fact? ;) > > -- > Marko Uskokovic > Mainstream d.o.o. > www.mainstream.rs > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux I see we have # Signal self for shutdown corenet_tcp_connect_http_port(httpd_t) in the F15 policy which causes your operation is allowed. We don't allow it on F16. Could you open a new bug for this. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
