On Mon, 2017-05-22 at 15:05 -0400, Stephen Smalley wrote: > On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote: > > On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote: > > > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gm > > > ai > > > l. > > > com> wrote: > > > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley > > > > wrote: > > > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote: > > > > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux > > > > > > issue > > > > > > related > > > > > > to Apache httpd that I just can't figure out. I have > > > > > > always > > > > > > been > > > > > > able > > > > > > to tune policy or alter a boolean, this one has me stumped! > > > > > > > > > > > > What I am trying to do: I am trying to deploy a simple, 3 > > > > > > line > > > > > > CGI > > > > > > script in /var/www/cgi-bin/. Runs fine with enforcement > > > > > > disabled > > > > > > (see > > > > > > output below). My custom policy for Apache (see below) > > > > > > comes > > > > > > from my > > > > > > EL6 environment. > > > > > > > > > > > > The normal setroubleshooting tools don't help, as there is > > > > > > only > > > > > > a > > > > > > single > > > > > > line in audit.log (of type=SELINUX_ERR) > > > > > > > > > > > > This is not happening on latest RHEL 6.9 ... > > > > > > > > > > > > Might be related to systemd? I don't see any > > > > > > "NoNewPrivileges" > > > > > > directives inside /etc/systemd/ though ... weird! > > > > > > > > > > Is the filesystem mounted nosuid? > > > > > > > > If selinux also uses that message for that scenario then i find > > > > that confusing since the message, to me, implies that the issue > > > > can > > > > be find by adding a type bounds, but i don't think that would > > > > work > > > > for nosuid mounted slices > > > > > > Stephen ... /var/www/ was mounted with the "nosuid" option. I > > > forgot > > > about that ... if I remember correctly, when "nosuid" is set on a > > > mounted FS, SELinux trans will fail under this condition. This > > > bit > > > me > > > before, years ago... and I forgot about it. > > > > I'm still puzzled though, because the transition shouldn't fail > > altogether; it should just fall back to staying in httpd_t instead > > of > > httpd_sys_script_t. You'd get the log message but then it would > > just > > proceed under the old domain. > > For example, on Fedora: > $ cat /var/www/cgi-bin/foo.cgi > #!/bin/sh > echo "Content-type: text/plain" > echo "" > id -Z > exit 0 > $ curl localhost/cgi-bin/foo.cgi > system_u:system_r:httpd_sys_script_t:s0 > $ sudo mount --bind /var/www /var/www > $ mount -o remount,nosuid,bind /var/www /var/www > $ sudo service httpd restart > $ curl localhost/cgi-bin/foo.cgi > system_u:system_r:httpd_t:s0 > $ sudo umount /var/www > $ sudo ausearch -m SELINUX_ERR,AVC -ts recent > time->Mon May 22 15:03:56 2017 > type=PROCTITLE msg=audit(1495479836.876:5483): > proctitle=2F62696E2F7368002F7661722F7777772F6367692D62696E2F666F6F2E6 > 36 > 769 > type=PATH msg=audit(1495479836.876:5483): item=2 name="/lib64/ld- > linux- > x86-64.so.2" inode=2623178 dev=fd:01 mode=0100755 ouid=0 ogid=0 > rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL > type=PATH msg=audit(1495479836.876:5483): item=1 name="/bin/sh" > inode=2646852 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL > type=PATH msg=audit(1495479836.876:5483): item=0 name="/var/www/cgi- > bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0 > rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0 > nametype=NORMAL > type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin" > type=EXECVE msg=audit(1495479836.876:5483): argc=2 a0="/bin/sh" > a1="/var/www/cgi-bin/foo.cgi" > type=SYSCALL msg=audit(1495479836.876:5483): arch=c000003e syscall=59 > success=yes exit=0 a0=560095ae07e8 a1=560095ae3d00 a2=560095ae3d18 > a3=8 > items=3 ppid=10885 pid=10925 auid=4294967295 uid=48 gid=48 euid=48 > suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 > comm="foo.cgi" exe="/usr/bin/bash" subj=system_u:system_r:httpd_t:s0 > key=(null) > type=SELINUX_ERR msg=audit(1495479836.876:5483): > op=security_bounded_transition seresult=denied > oldcontext=system_u:system_r:httpd_t:s0 > newcontext=system_u:system_r:httpd_sys_script_t:s0 > > So I don't get a hard failure; it logs the error but just devolves to > staying in httpd_t. > > Can you reproduce the above on your RHEL7.3 system? Oh, I see - it will fail on the execute_no_trans permission check, since policy doesn't allow httpd_t to execute httpd_sys_script_exec_t without changing domains. So that's correct behavior. But you should have had an AVC message on that. Now I have to figure out why Fedora didn't deny it... > > > > > > Everything is working as expected now. If I want to mitigate > > > some > > > risk, and still use "nosuid" for /var/www/ .... I'll need to > > > split > > > /var/www/cgi-bin away from /var/www/ ... > > > > The other alternative would be to use typebounds, but that likely > > wouldn't be straightforward. > > > > > > > > Thank you both for your time and help > > > -chris