On Mon, 2017-05-22 at 15:30 -0400, Stephen Smalley wrote: > On Mon, 2017-05-22 at 15:05 -0400, Stephen Smalley wrote: > > On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote: > > > On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote: > > > > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@ > > > > gm > > > > ai > > > > l. > > > > com> wrote: > > > > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley > > > > > wrote: > > > > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote: > > > > > > > Hi, running latest RHEL 7.3 ... struggling with an > > > > > > > SELinux > > > > > > > issue > > > > > > > related > > > > > > > to Apache httpd that I just can't figure out. I have > > > > > > > always > > > > > > > been > > > > > > > able > > > > > > > to tune policy or alter a boolean, this one has me > > > > > > > stumped! > > > > > > > > > > > > > > What I am trying to do: I am trying to deploy a simple, 3 > > > > > > > line > > > > > > > CGI > > > > > > > script in /var/www/cgi-bin/. Runs fine with enforcement > > > > > > > disabled > > > > > > > (see > > > > > > > output below). My custom policy for Apache (see below) > > > > > > > comes > > > > > > > from my > > > > > > > EL6 environment. > > > > > > > > > > > > > > The normal setroubleshooting tools don't help, as there > > > > > > > is > > > > > > > only > > > > > > > a > > > > > > > single > > > > > > > line in audit.log (of type=SELINUX_ERR) > > > > > > > > > > > > > > This is not happening on latest RHEL 6.9 ... > > > > > > > > > > > > > > Might be related to systemd? I don't see any > > > > > > > "NoNewPrivileges" > > > > > > > directives inside /etc/systemd/ though ... weird! > > > > > > > > > > > > Is the filesystem mounted nosuid? > > > > > > > > > > If selinux also uses that message for that scenario then i > > > > > find > > > > > that confusing since the message, to me, implies that the > > > > > issue > > > > > can > > > > > be find by adding a type bounds, but i don't think that would > > > > > work > > > > > for nosuid mounted slices > > > > > > > > Stephen ... /var/www/ was mounted with the "nosuid" option. I > > > > forgot > > > > about that ... if I remember correctly, when "nosuid" is set on > > > > a > > > > mounted FS, SELinux trans will fail under this condition. This > > > > bit > > > > me > > > > before, years ago... and I forgot about it. > > > > > > I'm still puzzled though, because the transition shouldn't fail > > > altogether; it should just fall back to staying in httpd_t > > > instead > > > of > > > httpd_sys_script_t. You'd get the log message but then it would > > > just > > > proceed under the old domain. > > > > For example, on Fedora: > > $ cat /var/www/cgi-bin/foo.cgi > > #!/bin/sh > > echo "Content-type: text/plain" > > echo "" > > id -Z > > exit 0 > > $ curl localhost/cgi-bin/foo.cgi > > system_u:system_r:httpd_sys_script_t:s0 > > $ sudo mount --bind /var/www /var/www > > $ mount -o remount,nosuid,bind /var/www /var/www > > $ sudo service httpd restart > > $ curl localhost/cgi-bin/foo.cgi > > system_u:system_r:httpd_t:s0 > > $ sudo umount /var/www > > $ sudo ausearch -m SELINUX_ERR,AVC -ts recent > > time->Mon May 22 15:03:56 2017 > > type=PROCTITLE msg=audit(1495479836.876:5483): > > proctitle=2F62696E2F7368002F7661722F7777772F6367692D62696E2F666F6F2 > > E6 > > 36 > > 769 > > type=PATH msg=audit(1495479836.876:5483): item=2 name="/lib64/ld- > > linux- > > x86-64.so.2" inode=2623178 dev=fd:01 mode=0100755 ouid=0 ogid=0 > > rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL > > type=PATH msg=audit(1495479836.876:5483): item=1 name="/bin/sh" > > inode=2646852 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL > > type=PATH msg=audit(1495479836.876:5483): item=0 > > name="/var/www/cgi- > > bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0 > > rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0 > > nametype=NORMAL > > type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin" > > type=EXECVE msg=audit(1495479836.876:5483): argc=2 a0="/bin/sh" > > a1="/var/www/cgi-bin/foo.cgi" > > type=SYSCALL msg=audit(1495479836.876:5483): arch=c000003e > > syscall=59 > > success=yes exit=0 a0=560095ae07e8 a1=560095ae3d00 a2=560095ae3d18 > > a3=8 > > items=3 ppid=10885 pid=10925 auid=4294967295 uid=48 gid=48 euid=48 > > suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 > > comm="foo.cgi" exe="/usr/bin/bash" > > subj=system_u:system_r:httpd_t:s0 > > key=(null) > > type=SELINUX_ERR msg=audit(1495479836.876:5483): > > op=security_bounded_transition seresult=denied > > oldcontext=system_u:system_r:httpd_t:s0 > > newcontext=system_u:system_r:httpd_sys_script_t:s0 > > > > So I don't get a hard failure; it logs the error but just devolves > > to > > staying in httpd_t. > > > > Can you reproduce the above on your RHEL7.3 system? > > Oh, I see - it will fail on the execute_no_trans permission check, > since policy doesn't allow httpd_t to execute httpd_sys_script_exec_t > without changing domains. So that's correct behavior. But you > should > have had an AVC message on that. Sigh...it seems to be dontaudit'd in Fedora policy. semodule -DB would have shown it. > > Now I have to figure out why Fedora didn't deny it... Seems to have been cruft in the test environment; now working as expected. > > > > > > > > > > Everything is working as expected now. If I want to mitigate > > > > some > > > > risk, and still use "nosuid" for /var/www/ .... I'll need to > > > > split > > > > /var/www/cgi-bin away from /var/www/ ... > > > > > > The other alternative would be to use typebounds, but that likely > > > wouldn't be straightforward. > > > > > > > > > > > Thank you both for your time and help > > > > -chris
