On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
> to Apache httpd that I just can't figure out. I have always been able
> to tune policy or alter a boolean, this one has me stumped!
>
> What I am trying to do: I am trying to deploy a simple, 3 line CGI
> script in /var/www/cgi-bin/. Runs fine with enforcement disabled (see
> output below). My custom policy for Apache (see below) comes from my
> EL6 environment.
>
> The normal setroubleshooting tools don't help, as there is only a single
> line in audit.log (of type=SELINUX_ERR)
>
> This is not happening on latest RHEL 6.9 ...
>
> Might be related to systemd? I don't see any "NoNewPrivileges"
> directives inside /etc/systemd/ though ... weird!
try grepping /usr/lib/systemd as well
also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK
>
> Many thanks for your help!
> -chris
>
>
> ########################################################################
> # With enforcement disabled ... all is good (as expected)
> ########################################################################
>
> # ls -laZ /var/www/cgi-bin/
> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
>
> # setenforce 0
> # systemctl restart httpd.service
> $ curl localhost/cgi-bin/ok.cgi
> OK
>
>
> ########################################################################
> # With enforcement enabled ... CGI script fails, all you find is a
> # single deny in /var/log/audit/audit.log
> ########################################################################
>
> # setenforce 1
> # systemctl restart httpd.service
>
> # getenforce
> Enforcing
>
> $ curl localhost/cgi-bin/ok.cgi
> <html><head><title>500 Server Error</title></head><body><h1>Server
> Error</h1></body></html>
>
> # tail /var/log/audit/audit.log | grep denied
> type=SELINUX_ERR msg=audit(1495468154.591:121695):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
>
>
> ########################################################################
> # System details ...
> ########################################################################
>
> # uname -r
> 3.10.0-514.16.1.el7.x86_64
>
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.3 (Maipo)
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 28
>
> # find /etc/ -type f | xargs grep NoNewPrivileges
> [NO OUTPUT]
>
> # getsebool -a | grep httpd_
> httpd_anon_write --> on
> httpd_builtin_scripting --> on
> httpd_can_check_spam --> off
> httpd_can_connect_ftp --> off
> httpd_can_connect_ldap --> off
> httpd_can_connect_mythtv --> off
> httpd_can_connect_zabbix --> off
> httpd_can_network_connect --> on
> httpd_can_network_connect_cobbler --> off
> httpd_can_network_connect_db --> on
> httpd_can_network_memcache --> off
> httpd_can_network_relay --> off
> httpd_can_sendmail --> on
> httpd_dbus_avahi --> on
> httpd_dbus_sssd --> off
> httpd_dontaudit_search_dirs --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> off
> httpd_execmem --> off
> httpd_graceful_shutdown --> on
> httpd_manage_ipa --> off
> httpd_mod_auth_ntlm_winbind --> off
> httpd_mod_auth_pam --> off
> httpd_read_user_content --> on
> httpd_run_ipa --> off
> httpd_run_preupgrade --> off
> httpd_run_stickshift --> off
> httpd_serve_cobbler_files --> off
> httpd_setrlimit --> off
> httpd_ssi_exec --> off
> httpd_sys_script_anon_write --> off
> httpd_tmp_exec --> off
> httpd_tty_comm --> on
> httpd_unified --> on
> httpd_use_cifs --> off
> httpd_use_fusefs --> off
> httpd_use_gpg --> off
> httpd_use_nfs --> off
> httpd_use_openstack --> off
> httpd_use_sasl --> off
> httpd_verify_dns --> off
>
>
> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
>
> # cat myapache.te
> module myapache 0.4;
>
> require {
> type httpd_t;
> type httpd_sys_script_t;
> type http_port_t;
> type mysqld_port_t;
> type rpm_var_cache_t;
> type kernel_t;
> class process { setpgid transition };
> class system module_request;
> class tcp_socket name_connect;
> class dir { read search open getattr };
> class file { open read getattr };
> }
>
> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t self:process setpgid;
> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t kernel_t:system module_request;
>
> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> allow httpd_t httpd_sys_script_t:process transition;
>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
