On 05/22/2017 09:58 AM, Dominick Grift wrote:
> On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
>> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
>> to Apache httpd that I just can't figure out. I have always been able
>> to tune policy or alter a boolean, this one has me stumped!
>>
>> What I am trying to do: I am trying to deploy a simple, 3 line CGI
>> script in /var/www/cgi-bin/. Runs fine with enforcement disabled (see
>> output below). My custom policy for Apache (see below) comes from my
>> EL6 environment.
>>
>> The normal setroubleshooting tools don't help, as there is only a single
>> line in audit.log (of type=SELINUX_ERR)
>>
>> This is not happening on latest RHEL 6.9 ...
>>
>> Might be related to systemd? I don't see any "NoNewPrivileges"
>> directives inside /etc/systemd/ though ... weird!
>
> try grepping /usr/lib/systemd as well
> also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK
Dominick, I did find the "NoNewPrivileges" directive inside of
/usr/lib/systemd/system/systemd-importd.service ... commented it out,
rebooted just to be safe ... no luck ... same problem as before, same
message in /var/log/audit/audit.log. Also tried changing the value from
"Yes" to "No" and rebooting, that didn't help.
$ curl localhost/cgi-bin/ok.cgi
<html><head><title>500 Server Error</title></head><body><h1>Server
Error</h1></body></html>
# tail /var/log/audit/audit.log | grep denied
type=SELINUX_ERR msg=audit(1495473331.188:183):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0
Confirmed I do not have "mod_selinux" enabled ... this is a pretty
vanilla deployment of RHEL 7 and Apache httpd
Thanks!
-chris
>
>>
>> Many thanks for your help!
>> -chris
>>
>>
>> ########################################################################
>> # With enforcement disabled ... all is good (as expected)
>> ########################################################################
>>
>> # ls -laZ /var/www/cgi-bin/
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
>> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
>>
>> # setenforce 0
>> # systemctl restart httpd.service
>> $ curl localhost/cgi-bin/ok.cgi
>> OK
>>
>>
>> ########################################################################
>> # With enforcement enabled ... CGI script fails, all you find is a
>> # single deny in /var/log/audit/audit.log
>> ########################################################################
>>
>> # setenforce 1
>> # systemctl restart httpd.service
>>
>> # getenforce
>> Enforcing
>>
>> $ curl localhost/cgi-bin/ok.cgi
>> <html><head><title>500 Server Error</title></head><body><h1>Server
>> Error</h1></body></html>
>>
>> # tail /var/log/audit/audit.log | grep denied
>> type=SELINUX_ERR msg=audit(1495468154.591:121695):
>> op=security_bounded_transition seresult=denied
>> oldcontext=system_u:system_r:httpd_t:s0
>> newcontext=system_u:system_r:httpd_sys_script_t:s0
>>
>>
>> ########################################################################
>> # System details ...
>> ########################################################################
>>
>> # uname -r
>> 3.10.0-514.16.1.el7.x86_64
>>
>> # cat /etc/redhat-release
>> Red Hat Enterprise Linux Server release 7.3 (Maipo)
>>
>> # sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: targeted
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Max kernel policy version: 28
>>
>> # find /etc/ -type f | xargs grep NoNewPrivileges
>> [NO OUTPUT]
>>
>> # getsebool -a | grep httpd_
>> httpd_anon_write --> on
>> httpd_builtin_scripting --> on
>> httpd_can_check_spam --> off
>> httpd_can_connect_ftp --> off
>> httpd_can_connect_ldap --> off
>> httpd_can_connect_mythtv --> off
>> httpd_can_connect_zabbix --> off
>> httpd_can_network_connect --> on
>> httpd_can_network_connect_cobbler --> off
>> httpd_can_network_connect_db --> on
>> httpd_can_network_memcache --> off
>> httpd_can_network_relay --> off
>> httpd_can_sendmail --> on
>> httpd_dbus_avahi --> on
>> httpd_dbus_sssd --> off
>> httpd_dontaudit_search_dirs --> off
>> httpd_enable_cgi --> on
>> httpd_enable_ftp_server --> off
>> httpd_enable_homedirs --> off
>> httpd_execmem --> off
>> httpd_graceful_shutdown --> on
>> httpd_manage_ipa --> off
>> httpd_mod_auth_ntlm_winbind --> off
>> httpd_mod_auth_pam --> off
>> httpd_read_user_content --> on
>> httpd_run_ipa --> off
>> httpd_run_preupgrade --> off
>> httpd_run_stickshift --> off
>> httpd_serve_cobbler_files --> off
>> httpd_setrlimit --> off
>> httpd_ssi_exec --> off
>> httpd_sys_script_anon_write --> off
>> httpd_tmp_exec --> off
>> httpd_tty_comm --> on
>> httpd_unified --> on
>> httpd_use_cifs --> off
>> httpd_use_fusefs --> off
>> httpd_use_gpg --> off
>> httpd_use_nfs --> off
>> httpd_use_openstack --> off
>> httpd_use_sasl --> off
>> httpd_verify_dns --> off
>>
>>
>> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
>>
>> # cat myapache.te
>> module myapache 0.4;
>>
>> require {
>> type httpd_t;
>> type httpd_sys_script_t;
>> type http_port_t;
>> type mysqld_port_t;
>> type rpm_var_cache_t;
>> type kernel_t;
>> class process { setpgid transition };
>> class system module_request;
>> class tcp_socket name_connect;
>> class dir { read search open getattr };
>> class file { open read getattr };
>> }
>>
>> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
>> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
>> allow httpd_t mysqld_port_t:tcp_socket name_connect;
>> allow httpd_sys_script_t self:process setpgid;
>> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
>> allow httpd_sys_script_t kernel_t:system module_request;
>>
>> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
>> op=security_bounded_transition seresult=denied
>> oldcontext=system_u:system_r:httpd_t:s0
>> newcontext=system_u:system_r:httpd_sys_script_t:s0
>> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
>> allow httpd_t httpd_sys_script_t:process transition;
>>
>>
>>
>
