Apache CGI scripts - how to run them cleanly

Lars Poulsen lpoulsen at afar.net
Tue May 4 19:03:28 UTC 2010 

I am trying to get my Fedora 12 systems to run cleanly with SELinux 
enabled. Previously I had just been running in permissive mode and 
mostly ignoring the alerts, but my ambition level has gone up!

After a few days of following up on every alert I saw by tweaking 
booleans and file context types appropriately, I am pleased with how 
few violations are being reported, but I am now getting to some that 
I cannot figure out, such as the one below.

It originates in a CGI script written in PERL. In my installations, 
the base of the website data is in /home/httpd rather than in 
/var/www; this choice is because I try to keep permanent data that 
should be kept across OS version updates out of the root filesystem, 
and the website is too small to merit a filesystem of its own. It 
does mean that I need to tweek a bunch of labels, such as
    * setsebool -P httpd_read_user_content 1
    * setsebool -P httpd_enable_home_dirs 1
    * setsebool -P httpd_read_user_content 1
    * setsebool -P samba_enable_home_dirs 1
    * setsebool -P use_samba_home_dirs 1
    * setsebool -P samba_export_all_rw 1
    *
    * chcon -R -t httpd_user_content_t /var/log/phone
    * chcon -R -t httpd_user_content_t /home/httpd/twiki/data
    * chcon -R -t httpd_sys_script_exec_t /home/httpd/twiki/bin
    * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
    * chcon -t httpd_sys_content_t /home/httpd
    * chcon -R -t httpd_sys_content_t /home/httpd/html
    * chcon -R -t httpd_user_content_t /home/sales/serial
    * chcon -R -t htppd_user_content_t /home/sales/leads
But the one that baffles me the most is this one, which comes up when 
I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).

I *think* the "search" access is triggered when the script is launched.
SELinux says that / is labeled as user_home_dir_t, but this is not 
true; ls -Zd confirms that it is indeed labeled as root_t. And even 
if it were labeled user_homme_dir_t, should the boolean 
httpd_enable_home_dirs not make it allright ?

Any insights would be appreciated.

Lars Poulsen
Afar Communications
-------------------------------------------------------------------------------------------------------------------------
Summary:

SELinux is preventing /usr/bin/perl "search" access to /.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by serial.cgi. / may be a mislabeled. / default
SELinux type is root_t, but its current type is user_home_dir_t. Changing this
file back to the default type, may fix your problem.

File contexts can be assigned to a file in the following ways.

   * Files created in a directory receive the file context of the parent
     directory by default.
   * The SELinux policy might override the default label inherited from the
     parent directory by specifying a process running in context A 
which creates
     a file in a directory labeled B will instead create the file with label C.
     An example of this would be the dhcp client running with the 
dhclient_t type
     and creating a file in the directory /etc. This file would 
normally receive
     the etc_t type due to parental inheritance but instead the file is labeled
     with the net_conf_t type because the SELinux policy specifies this.
   * Users can change the file context on a file using tools such as chcon, or
     restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/', if this file is a directory, you can
recursively restore using restorecon -R '/'.

Fix Command:

/sbin/restorecon '/'

Additional Information:

Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                / [ dir ]
Source                        serial.cgi
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          shadow.afar.net
Source RPM Packages           perl-5.10.0-87.fc12
Target RPM Packages           filesystem-2.4.30-2.fc12
Policy RPM                    selinux-policy-3.6.32-113.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   restorecon
Host Name                     shadow.afar.net
Platform                      Linux shadow.afar.net 2.6.32.11-99.fc12.i686.PAE
                               #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
Alert Count                   6
First Seen                    Tue 04 May 2010 10:27:30 AM PDT
Last Seen                     Tue 04 May 2010 11:15:28 AM PDT
Local ID                      6cee89bd-3559-4483-9802-fa2dc320bd26
Line Numbers

Raw Audit Messages

node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292): 
avc:  denied  { search } for  pid=15632 comm="serial.cgi" name="/" 
dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292): 
arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0 
a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489 
euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) 
ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl" 
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

More information about the selinux mailing list