On Mon, May 22, 2017 at 08:23:50PM +0200, Dominick Grift wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > > related
> > > to Apache httpd that I just can't figure out. I have always been
> > > able
> > > to tune policy or alter a boolean, this one has me stumped!
> > >
> > > What I am trying to do: I am trying to deploy a simple, 3 line CGI
> > > script in /var/www/cgi-bin/. Runs fine with enforcement disabled
> > > (see
> > > output below). My custom policy for Apache (see below) comes from my
> > > EL6 environment.
> > >
> > > The normal setroubleshooting tools don't help, as there is only a
> > > single
> > > line in audit.log (of type=SELINUX_ERR)
> > >
> > > This is not happening on latest RHEL 6.9 ...
> > >
> > > Might be related to systemd? I don't see any "NoNewPrivileges"
> > > directives inside /etc/systemd/ though ... weird!
> >
> > Is the filesystem mounted nosuid?
>
> If selinux also uses that message for that scenario then i find that confusing since the message, to me, implies that the issue can be find by adding a type bounds, but i don't think that would work for nosuid mounted slices
s/find/fixed
> >
> > >
> > > Many thanks for your help!
> > > -chris
> > >
> > >
> > > #####################################################################
> > > ###
> > > # With enforcement disabled ... all is good (as expected)
> > > #####################################################################
> > > ###
> > >
> > > # ls -laZ /var/www/cgi-bin/
> > > drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> > > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> > > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> > > ok.cgi
> > >
> > > # setenforce 0
> > > # systemctl restart httpd.service
> > > $ curl localhost/cgi-bin/ok.cgi
> > > OK
> > >
> > >
> > > #####################################################################
> > > ###
> > > # With enforcement enabled ... CGI script fails, all you find is a
> > > # single deny in /var/log/audit/audit.log
> > > #####################################################################
> > > ###
> > >
> > > # setenforce 1
> > > # systemctl restart httpd.service
> > >
> > > # getenforce
> > > Enforcing
> > >
> > > $ curl localhost/cgi-bin/ok.cgi
> > > <html><head><title>500 Server Error</title></head><body><h1>Server
> > > Error</h1></body></html>
> > >
> > > # tail /var/log/audit/audit.log | grep denied
> > > type=SELINUX_ERR msg=audit(1495468154.591:121695):
> > > op=security_bounded_transition seresult=denied
> > > oldcontext=system_u:system_r:httpd_t:s0
> > > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > >
> > >
> > > #####################################################################
> > > ###
> > > # System details ...
> > > #####################################################################
> > > ###
> > >
> > > # uname -r
> > > 3.10.0-514.16.1.el7.x86_64
> > >
> > > # cat /etc/redhat-release
> > > Red Hat Enterprise Linux Server release 7.3 (Maipo)
> > >
> > > # sestatus
> > > SELinux status: enabled
> > > SELinuxfs mount: /sys/fs/selinux
> > > SELinux root directory: /etc/selinux
> > > Loaded policy name: targeted
> > > Current mode: enforcing
> > > Mode from config file: enforcing
> > > Policy MLS status: enabled
> > > Policy deny_unknown status: allowed
> > > Max kernel policy version: 28
> > >
> > > # find /etc/ -type f | xargs grep NoNewPrivileges
> > > [NO OUTPUT]
> > >
> > > # getsebool -a | grep httpd_
> > > httpd_anon_write --> on
> > > httpd_builtin_scripting --> on
> > > httpd_can_check_spam --> off
> > > httpd_can_connect_ftp --> off
> > > httpd_can_connect_ldap --> off
> > > httpd_can_connect_mythtv --> off
> > > httpd_can_connect_zabbix --> off
> > > httpd_can_network_connect --> on
> > > httpd_can_network_connect_cobbler --> off
> > > httpd_can_network_connect_db --> on
> > > httpd_can_network_memcache --> off
> > > httpd_can_network_relay --> off
> > > httpd_can_sendmail --> on
> > > httpd_dbus_avahi --> on
> > > httpd_dbus_sssd --> off
> > > httpd_dontaudit_search_dirs --> off
> > > httpd_enable_cgi --> on
> > > httpd_enable_ftp_server --> off
> > > httpd_enable_homedirs --> off
> > > httpd_execmem --> off
> > > httpd_graceful_shutdown --> on
> > > httpd_manage_ipa --> off
> > > httpd_mod_auth_ntlm_winbind --> off
> > > httpd_mod_auth_pam --> off
> > > httpd_read_user_content --> on
> > > httpd_run_ipa --> off
> > > httpd_run_preupgrade --> off
> > > httpd_run_stickshift --> off
> > > httpd_serve_cobbler_files --> off
> > > httpd_setrlimit --> off
> > > httpd_ssi_exec --> off
> > > httpd_sys_script_anon_write --> off
> > > httpd_tmp_exec --> off
> > > httpd_tty_comm --> on
> > > httpd_unified --> on
> > > httpd_use_cifs --> off
> > > httpd_use_fusefs --> off
> > > httpd_use_gpg --> off
> > > httpd_use_nfs --> off
> > > httpd_use_openstack --> off
> > > httpd_use_sasl --> off
> > > httpd_verify_dns --> off
> > >
> > >
> > > # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> > >
> > > # cat myapache.te
> > > module myapache 0.4;
> > >
> > > require {
> > > type httpd_t;
> > > type httpd_sys_script_t;
> > > type http_port_t;
> > > type mysqld_port_t;
> > > type rpm_var_cache_t;
> > > type kernel_t;
> > > class process { setpgid transition };
> > > class system module_request;
> > > class tcp_socket name_connect;
> > > class dir { read search open getattr };
> > > class file { open read getattr };
> > > }
> > >
> > > allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> > > allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> > > allow httpd_t mysqld_port_t:tcp_socket name_connect;
> > > allow httpd_sys_script_t self:process setpgid;
> > > allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> > > allow httpd_sys_script_t kernel_t:system module_request;
> > >
> > > #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> > > op=security_bounded_transition seresult=denied
> > > oldcontext=system_u:system_r:httpd_t:s0
> > > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > > # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> > > allow httpd_t httpd_sys_script_t:process transition;
> > >
> > >
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
