http AVC

Tony Molloy tony.molloy at ul.ie
Thu Dec 2 18:53:38 UTC 2010 

On Thursday 02 December 2010 17:47:04 Daniel J Walsh wrote:
> On 12/02/2010 12:44 PM, Tony Molloy wrote:
> > On Thursday 02 December 2010 17:37:54 m.roth at 5-cent.us wrote:
> >> Tony Molloy wrote:
> >>> On Thursday 02 December 2010 15:56:59 m.roth at 5-cent.us wrote:
> >>>> Daniel J Walsh wrote:
> >>>>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
> >>>>>> Hi,
> >>>>>> 
> >>>>>> I'm running http on a fully updated Centos 5 system.
> >>>>>> 
> >>>>>> httpd-2.2.3-43.el5.centos.3.x86_64
> >>>>>> selinux-policy-2.4.6-279.el5_5.2.noarch
> >>>>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
> >>>>>> 
> >>>>>> I'm trying to run a cgi script from a user directory.
> >>>> 
> >>>> <MVNCH>
> >>>> 
> >>>>> Do you have httpd_suexec_disable_trans turned on?
> >>>> 
> >>>> Actually, what bothers me is trying to run a .cgi from a user's
> >>>> directory. Can't you create a directory ->under the apache
> >> 
> >> <Directory><- that the
> >> 
> >>>> users can put scripts in for testing? (I assume that once they're
> >>>> good, they go into the real production location for .cgi.)
> >>> 
> >>> Not so easily done ;-)
> >>> 
> >>> This is a University environment with several hundred faculty/students
> >>> wanting to use this server to run/check assignments. So they have ftp
> >> 
> >> accounts
> >> 
> >>> where they can upload any scripts to their public_html directory and
> >>> run
> >> 
> >> them
> >> 
> >>> from there.
> >> 
> >> I figured it was something like that. What I was thinking was
> >> 
> >>    /var/www/html/public_cgi/<students' directories>
> >> 
> >> which would put them in a *legitimate* place for apache to be happy
> >> with, and which selinux would be happy with.
> >> 
> >> You *might* need to add them to a group named something like pubcgi, and
> >> make the above group acceptable to selinux and apache.
> >> 
> >>      mark
> > 
> > Interesting idea. I could give it a try next semester.
> > 
> > Thanks,
> > 
> > Tony
> 
> It should not be necessary.  public_html labeled correctly will work.
> THe problem you are seeing is that this boolean was set causing suexec
> to not work.


Ok I spoke too soon.

Current situation:

httpd booleans
--------------

[root at garryowen ~]# getsebool -a | grep http
allow_httpd_anon_write --> on
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
    allow_httpd_sys_script_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_network_connect --> on
httpd_can_network_connect_db --> off
httpd_can_network_relay --> on
httpd_can_sendmail --> on
httpd_disable_trans --> off
    httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_ssi_exec --> off
    httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
    httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off


SELinux contexts
----------------

cd /var/pub/ftp

user directory

drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t healyp

cd healyp

drwxr-xr-x  healyp   ftpgrp root:object_r:public_content_rw_t public_html
                                          ^^^^^^
cd public_html

drwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t cgi-bin
                                                ^^^
cd cgi-bin

-rwxr-xr-x  healyp   ftpgrp root:object_r:httpd_sys_script_exec_t survey.cgi
                                                ^^^

Do these look correct.

Now when I switch SElinux to enforcing it doesn't work, when I switch it to 
permissive I get a different AVC.


[SELinux is in permissive mode, the operation would have been denied but was 
permitted due to permissive mode.]

SELinux denied access requested by suexec. It is not expected that this access 
is required by suexec and this access may signal an intrusion attempt. It is 
also possible that the specific version or configuration of the application is 
causing it to require additional access. 

Allowing Access

Sometimes labeling problems can cause SELinux denials. You could try to 
restore the default system file context for ./ftp,

 restorecon -v './ftp' 

If this does not work, there is currently no automatic way to allow this 
access. Instead, you can generate a local policy module to allow this access - 
see FAQ Or you can disable SELinux protection altogether. Disabling SELinux 
protection is not recommended. Please file a bug report against this package. 


Raw Audit Messages :

host=garryowen.x.y.z type=AVC msg=audit(1291315633.784:98283): avc: denied { 
search } for pid=8199 comm="suexec" name="ftp" dev=sda5 ino=65537 
scontext=system_u:system_r:httpd_suexec_t:s0 
tcontext=system_u:object_r:public_content_t:s0 tclass=dir

host=garryowen.x.y.z type=AVC msg=audit(1291315633.784:98283): avc: denied { 
search } for pid=8199 comm="suexec" name="healyp" dev=sda10 ino=9638241 
scontext=system_u:system_r:httpd_suexec_t:s0 
tcontext=root:object_r:public_content_rw_t:s0 tclass=dir 

host=garryowen.x.y.z type=SYSCALL msg=audit(1291315633.784:98283): 
arch=c000003e syscall=80 success=yes exit=0 a0=2b86038ddde0 a1=1000 a2=0 a3=0 
items=0 ppid=789 pid=8199 auid=4294967295 uid=734 gid=803 euid=734 suid=734 
fsuid=734 egid=803 sgid=803 fsgid=803 tty=(none) ses=4294967295 comm="suexec" 
exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_suexec_t:s0 key=(null) 



Now I can generate a local policy to allow access.

Thanks,

Tony







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/selinux/attachments/20101202/79a2b6ba/attachment.html

More information about the selinux mailing list