Thank you for your answer. Bug reported as: https://bugzilla.redhat.com/show_bug.cgi?id=751404 Cheers! 2011/11/4 Miroslav Grepl <mgrepl@xxxxxxxxxx>: > On 11/04/2011 01:46 AM, Marko Uskoković wrote: >> >> Hello, >> If I understand documentation correctly, SELinux should prevent php >> scripts (running via mod_php) from opening remote urls with fopen >> function >> by default, that is when httpd_can_network_connect --> off >> >> Here are the links that confirm that behavior in the past: >> >> http://www.php.net/manual/en/function.fopen.php#56551 >> https://bugzilla.redhat.com/show_bug.cgi?id=164700 >> >> >> I've installed and updated Fedora 15 with no selinux modifications: >> >> [root@localhost ~]# cat /etc/redhat-release >> Fedora release 15 (Lovelock) >> >> [root@localhost ~]# sestatus >> SELinux status: enabled >> SELinuxfs mount: /selinux >> Current mode: enforcing >> Mode from config file: enforcing >> Policy version: 26 >> Policy from config file: targeted >> >> I've made three tests: >> [root@localhost ~]# cat /var/www/html/marko1.php >> <?php >> $file = fopen ("http://www.example.com";, "r"); >> if (!$file) { >> echo "<p>Unable to open remote file.\n"; >> exit; >> } >> while (!feof ($file)) { >> $line = fgets ($file, 1024); >> echo ($line); >> } >> fclose($file); >> ?> >> >> [root@localhost ~]# cat /var/www/html/marko2.php >> <?php >> $file = fopen ("http://10.11.12.13:31254/";, "r"); >> if (!$file) { >> echo "<p>Unable to open remote file.\n"; >> exit; >> } >> while (!feof ($file)) { >> $line = fgets ($file, 1024); >> echo ($line); >> } >> fclose($file); >> ?> >> >> [root@localhost ~]# cat /var/www/html/marko3.php >> <?php >> exec ('wget http://www.example.com -O /tmp/example.html'); >> exec ('wget http://10.11.12.13:31254 -O /tmp/mail.html'); >> ?> >> IP 10.11.12.13 is a remote machine, with apache listening on tcp port >> 31254 >> and i can reach it with wget running under unconfined root account. >> >> My httpd booleans are: >> >> [root@localhost ~]# getsebool -a|grep http >> allow_httpd_anon_write --> off >> allow_httpd_mod_auth_ntlm_winbind --> off >> allow_httpd_mod_auth_pam --> off >> allow_httpd_sys_script_anon_write --> off >> httpd_builtin_scripting --> on >> httpd_can_check_spam --> off >> httpd_can_network_connect --> off >> httpd_can_network_connect_cobbler --> off >> httpd_can_network_connect_db --> off >> httpd_can_network_memcache --> off >> httpd_can_network_relay --> off >> httpd_can_sendmail --> off >> httpd_dbus_avahi --> off >> httpd_enable_cgi --> on >> httpd_enable_ftp_server --> off >> httpd_enable_homedirs --> off >> httpd_execmem --> off >> httpd_read_user_content --> off >> httpd_setrlimit --> off >> httpd_ssi_exec --> off >> httpd_tmp_exec --> off >> httpd_tty_comm --> on >> httpd_unified --> off >> httpd_use_cifs --> off >> httpd_use_gpg --> off >> httpd_use_nfs --> off >> named_bind_http_port --> off >> >> and semanage -o - gives: >> boolean -D >> boolean -1 httpd_builtin_scripting >> login -D >> login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__ >> login -a -s unconfined_u -r 's0-s0:c0.c1023' root >> login -a -s system_u -r 's0-s0:c0.c1023' system_u >> user -D >> port -D >> interface -D >> node -D >> fcontext -D >> >> The problem is that opening marko1.php in browser gives me the html >> found on http://www.example.com >> and opening marko3.php produces the /tmp/example.html file on server >> with the html found on http://www.example.com >> >> The requests for http://10.11.12.13:31254/ both php's and wget-s, are >> not successful and are logged logged like: >> type=AVC msg=audit(1320370308.125:103): avc: denied { name_connect } >> for pid=1842 comm="wget" dest=31254 >> scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket >> type=AVC msg=audit(1320370308.980:104): avc: denied { name_connect } >> for pid=1656 comm="httpd" dest=31254 >> scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket >> >> mod_proxy is commented and not enabled (which is default in F15, AFAIK). >> >> Am I missing something or has the documentation missed this little fact? >> ;) >> >> -- >> Marko Uskokovic >> Mainstream d.o.o. >> www.mainstream.rs >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > > I see we have > > # Signal self for shutdown > corenet_tcp_connect_http_port(httpd_t) > > in the F15 policy which causes your operation is allowed. We don't allow it > on F16. Could you open a new bug for this. > -- Mainstream d.o.o. napredna internet resenja tel: +381 11 3038768 mob: +381 64 150 93 29 www.mainstream.rs -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
