Apache CGI scripts - how to run them cleanly
Dominick Grift
domg472 at gmail.com
Tue May 4 19:21:25 UTC 2010
On Tue, May 04, 2010 at 12:03:28PM -0700, Lars Poulsen wrote:
> I am trying to get my Fedora 12 systems to run cleanly with SELinux
> enabled. Previously I had just been running in permissive mode and
> mostly ignoring the alerts, but my ambition level has gone up!
>
> After a few days of following up on every alert I saw by tweaking
> booleans and file context types appropriately, I am pleased with how
> few violations are being reported, but I am now getting to some that
> I cannot figure out, such as the one below.
>
> It originates in a CGI script written in PERL. In my installations,
> the base of the website data is in /home/httpd rather than in
> /var/www; this choice is because I try to keep permanent data that
> should be kept across OS version updates out of the root filesystem,
> and the website is too small to merit a filesystem of its own. It
> does mean that I need to tweek a bunch of labels, such as
> * setsebool -P httpd_read_user_content 1
> * setsebool -P httpd_enable_home_dirs 1
> * setsebool -P httpd_read_user_content 1
> * setsebool -P samba_enable_home_dirs 1
> * setsebool -P use_samba_home_dirs 1
> * setsebool -P samba_export_all_rw 1
> *
> * chcon -R -t httpd_user_content_t /var/log/phone
> * chcon -R -t httpd_user_content_t /home/httpd/twiki/data
> * chcon -R -t httpd_sys_script_exec_t /home/httpd/twiki/bin
> * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
> * chcon -t httpd_sys_content_t /home/httpd
> * chcon -R -t httpd_sys_content_t /home/httpd/html
> * chcon -R -t httpd_user_content_t /home/sales/serial
> * chcon -R -t htppd_user_content_t /home/sales/leads
> But the one that baffles me the most is this one, which comes up when
> I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
>
> I *think* the "search" access is triggered when the script is launched.
> SELinux says that / is labeled as user_home_dir_t, but this is not
> true; ls -Zd confirms that it is indeed labeled as root_t. And even
> if it were labeled user_homme_dir_t, should the boolean
> httpd_enable_home_dirs not make it allright ?
Did you mount a seperate partition under /home or /home/*?
The AVC denial also show the device in question. It may in fact be / on the mounted partition and not your main /.
I think a restorecon -R /home or /home/* should solve it though
>
> Any insights would be appreciated.
>
> Lars Poulsen
> Afar Communications
> -------------------------------------------------------------------------------------------------------------------------
> Summary:
>
> SELinux is preventing /usr/bin/perl "search" access to /.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux denied access requested by serial.cgi. / may be a mislabeled. / default
> SELinux type is root_t, but its current type is user_home_dir_t. Changing this
> file back to the default type, may fix your problem.
>
> File contexts can be assigned to a file in the following ways.
>
> * Files created in a directory receive the file context of the parent
> directory by default.
> * The SELinux policy might override the default label inherited from the
> parent directory by specifying a process running in context A
> which creates
> a file in a directory labeled B will instead create the file with label C.
> An example of this would be the dhcp client running with the
> dhclient_t type
> and creating a file in the directory /etc. This file would
> normally receive
> the etc_t type due to parental inheritance but instead the file is labeled
> with the net_conf_t type because the SELinux policy specifies this.
> * Users can change the file context on a file using tools such as chcon, or
> restorecon.
>
> This file could have been mislabeled either by user error, or if an normally
> confined application was run under the wrong domain.
>
> However, this might also indicate a bug in SELinux because the file should not
> have been labeled with this type.
>
> If you believe this is a bug, please file a bug report against this package.
>
> Allowing Access:
>
> You can restore the default system context to this file by executing the
> restorecon command. restorecon '/', if this file is a directory, you can
> recursively restore using restorecon -R '/'.
>
> Fix Command:
>
> /sbin/restorecon '/'
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_sys_script_t:s0
> Target Context unconfined_u:object_r:user_home_dir_t:s0
> Target Objects / [ dir ]
> Source serial.cgi
> Source Path /usr/bin/perl
> Port <Unknown>
> Host shadow.afar.net
> Source RPM Packages perl-5.10.0-87.fc12
> Target RPM Packages filesystem-2.4.30-2.fc12
> Policy RPM selinux-policy-3.6.32-113.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name restorecon
> Host Name shadow.afar.net
> Platform Linux shadow.afar.net 2.6.32.11-99.fc12.i686.PAE
> #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
> Alert Count 6
> First Seen Tue 04 May 2010 10:27:30 AM PDT
> Last Seen Tue 04 May 2010 11:15:28 AM PDT
> Local ID 6cee89bd-3559-4483-9802-fa2dc320bd26
> Line Numbers
>
> Raw Audit Messages
>
> node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
> avc: denied { search } for pid=15632 comm="serial.cgi" name="/"
> dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>
> node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
> arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
> a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100504/1e7ccde9/attachment.bin
More information about the selinux
mailing list