On Mon, May 22, 2017 at 10:16:55AM -0700, Chris O'Neil wrote:
>
>
> On 05/22/2017 09:58 AM, Dominick Grift wrote:
> > On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
> >> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
> >> to Apache httpd that I just can't figure out. I have always been able
> >> to tune policy or alter a boolean, this one has me stumped!
> >>
> >> What I am trying to do: I am trying to deploy a simple, 3 line CGI
> >> script in /var/www/cgi-bin/. Runs fine with enforcement disabled (see
> >> output below). My custom policy for Apache (see below) comes from my
> >> EL6 environment.
> >>
> >> The normal setroubleshooting tools don't help, as there is only a single
> >> line in audit.log (of type=SELINUX_ERR)
> >>
> >> This is not happening on latest RHEL 6.9 ...
> >>
> >> Might be related to systemd? I don't see any "NoNewPrivileges"
> >> directives inside /etc/systemd/ though ... weird!
>
> >
> > try grepping /usr/lib/systemd as well
> > also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK
>
> Dominick, I did find the "NoNewPrivileges" directive inside of
> /usr/lib/systemd/system/systemd-importd.service ... commented it out,
> rebooted just to be safe ... no luck ... same problem as before, same
> message in /var/log/audit/audit.log. Also tried changing the value from
> "Yes" to "No" and rebooting, that didn't help.
Yes that only applies to systemd-importd (which i suppose no one uses at least not with selinux enabled)
>
> $ curl localhost/cgi-bin/ok.cgi
> <html><head><title>500 Server Error</title></head><body><h1>Server
> Error</h1></body></html>
>
> # tail /var/log/audit/audit.log | grep denied
> type=SELINUX_ERR msg=audit(1495473331.188:183):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
>
> Confirmed I do not have "mod_selinux" enabled ... this is a pretty
> vanilla deployment of RHEL 7 and Apache httpd
Are you using any other "exotic"/non-default apache modules? (i suppose not since you already said its pretty vanilla)
>
> Thanks!
> -chris
>
> >
> >>
> >> Many thanks for your help!
> >> -chris
> >>
> >>
> >> ########################################################################
> >> # With enforcement disabled ... all is good (as expected)
> >> ########################################################################
> >>
> >> # ls -laZ /var/www/cgi-bin/
> >> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> >> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> >> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
> >>
> >> # setenforce 0
> >> # systemctl restart httpd.service
> >> $ curl localhost/cgi-bin/ok.cgi
> >> OK
> >>
> >>
> >> ########################################################################
> >> # With enforcement enabled ... CGI script fails, all you find is a
> >> # single deny in /var/log/audit/audit.log
> >> ########################################################################
> >>
> >> # setenforce 1
> >> # systemctl restart httpd.service
> >>
> >> # getenforce
> >> Enforcing
> >>
> >> $ curl localhost/cgi-bin/ok.cgi
> >> <html><head><title>500 Server Error</title></head><body><h1>Server
> >> Error</h1></body></html>
> >>
> >> # tail /var/log/audit/audit.log | grep denied
> >> type=SELINUX_ERR msg=audit(1495468154.591:121695):
> >> op=security_bounded_transition seresult=denied
> >> oldcontext=system_u:system_r:httpd_t:s0
> >> newcontext=system_u:system_r:httpd_sys_script_t:s0
> >>
> >>
> >> ########################################################################
> >> # System details ...
> >> ########################################################################
> >>
> >> # uname -r
> >> 3.10.0-514.16.1.el7.x86_64
> >>
> >> # cat /etc/redhat-release
> >> Red Hat Enterprise Linux Server release 7.3 (Maipo)
> >>
> >> # sestatus
> >> SELinux status: enabled
> >> SELinuxfs mount: /sys/fs/selinux
> >> SELinux root directory: /etc/selinux
> >> Loaded policy name: targeted
> >> Current mode: enforcing
> >> Mode from config file: enforcing
> >> Policy MLS status: enabled
> >> Policy deny_unknown status: allowed
> >> Max kernel policy version: 28
> >>
> >> # find /etc/ -type f | xargs grep NoNewPrivileges
> >> [NO OUTPUT]
> >>
> >> # getsebool -a | grep httpd_
> >> httpd_anon_write --> on
> >> httpd_builtin_scripting --> on
> >> httpd_can_check_spam --> off
> >> httpd_can_connect_ftp --> off
> >> httpd_can_connect_ldap --> off
> >> httpd_can_connect_mythtv --> off
> >> httpd_can_connect_zabbix --> off
> >> httpd_can_network_connect --> on
> >> httpd_can_network_connect_cobbler --> off
> >> httpd_can_network_connect_db --> on
> >> httpd_can_network_memcache --> off
> >> httpd_can_network_relay --> off
> >> httpd_can_sendmail --> on
> >> httpd_dbus_avahi --> on
> >> httpd_dbus_sssd --> off
> >> httpd_dontaudit_search_dirs --> off
> >> httpd_enable_cgi --> on
> >> httpd_enable_ftp_server --> off
> >> httpd_enable_homedirs --> off
> >> httpd_execmem --> off
> >> httpd_graceful_shutdown --> on
> >> httpd_manage_ipa --> off
> >> httpd_mod_auth_ntlm_winbind --> off
> >> httpd_mod_auth_pam --> off
> >> httpd_read_user_content --> on
> >> httpd_run_ipa --> off
> >> httpd_run_preupgrade --> off
> >> httpd_run_stickshift --> off
> >> httpd_serve_cobbler_files --> off
> >> httpd_setrlimit --> off
> >> httpd_ssi_exec --> off
> >> httpd_sys_script_anon_write --> off
> >> httpd_tmp_exec --> off
> >> httpd_tty_comm --> on
> >> httpd_unified --> on
> >> httpd_use_cifs --> off
> >> httpd_use_fusefs --> off
> >> httpd_use_gpg --> off
> >> httpd_use_nfs --> off
> >> httpd_use_openstack --> off
> >> httpd_use_sasl --> off
> >> httpd_verify_dns --> off
> >>
> >>
> >> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> >>
> >> # cat myapache.te
> >> module myapache 0.4;
> >>
> >> require {
> >> type httpd_t;
> >> type httpd_sys_script_t;
> >> type http_port_t;
> >> type mysqld_port_t;
> >> type rpm_var_cache_t;
> >> type kernel_t;
> >> class process { setpgid transition };
> >> class system module_request;
> >> class tcp_socket name_connect;
> >> class dir { read search open getattr };
> >> class file { open read getattr };
> >> }
> >>
> >> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> >> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> >> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> >> allow httpd_sys_script_t self:process setpgid;
> >> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> >> allow httpd_sys_script_t kernel_t:system module_request;
> >>
> >> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> >> op=security_bounded_transition seresult=denied
> >> oldcontext=system_u:system_r:httpd_t:s0
> >> newcontext=system_u:system_r:httpd_sys_script_t:s0
> >> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> >> allow httpd_t httpd_sys_script_t:process transition;
> >>
> >>
> >>
> >
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
