Apache CGI scripts - how to run them cleanly

Dominick Grift domg472 at gmail.com
Tue May 4 19:21:25 UTC 2010 

On Tue, May 04, 2010 at 12:03:28PM -0700, Lars Poulsen wrote:
> I am trying to get my Fedora 12 systems to run cleanly with SELinux 
> enabled. Previously I had just been running in permissive mode and 
> mostly ignoring the alerts, but my ambition level has gone up!
> 
> After a few days of following up on every alert I saw by tweaking 
> booleans and file context types appropriately, I am pleased with how 
> few violations are being reported, but I am now getting to some that 
> I cannot figure out, such as the one below.
> 
> It originates in a CGI script written in PERL. In my installations, 
> the base of the website data is in /home/httpd rather than in 
> /var/www; this choice is because I try to keep permanent data that 
> should be kept across OS version updates out of the root filesystem, 
> and the website is too small to merit a filesystem of its own. It 
> does mean that I need to tweek a bunch of labels, such as
>     * setsebool -P httpd_read_user_content 1
>     * setsebool -P httpd_enable_home_dirs 1
>     * setsebool -P httpd_read_user_content 1
>     * setsebool -P samba_enable_home_dirs 1
>     * setsebool -P use_samba_home_dirs 1
>     * setsebool -P samba_export_all_rw 1
>     *
>     * chcon -R -t httpd_user_content_t /var/log/phone
>     * chcon -R -t httpd_user_content_t /home/httpd/twiki/data
>     * chcon -R -t httpd_sys_script_exec_t /home/httpd/twiki/bin
>     * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
>     * chcon -t httpd_sys_content_t /home/httpd
>     * chcon -R -t httpd_sys_content_t /home/httpd/html
>     * chcon -R -t httpd_user_content_t /home/sales/serial
>     * chcon -R -t htppd_user_content_t /home/sales/leads
> But the one that baffles me the most is this one, which comes up when 
> I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
> 
> I *think* the "search" access is triggered when the script is launched.
> SELinux says that / is labeled as user_home_dir_t, but this is not 
> true; ls -Zd confirms that it is indeed labeled as root_t. And even 
> if it were labeled user_homme_dir_t, should the boolean 
> httpd_enable_home_dirs not make it allright ?

Did you mount a seperate partition under /home or /home/*?

The AVC denial also show the device in question. It may in fact be / on the mounted partition and not your main /.
I think a restorecon -R /home or /home/* should solve it though

> 
> Any insights would be appreciated.
> 
> Lars Poulsen
> Afar Communications
> -------------------------------------------------------------------------------------------------------------------------
> Summary:
> 
> SELinux is preventing /usr/bin/perl "search" access to /.
> 
> Detailed Description:
> 
> [SELinux is in permissive mode. This access was not denied.]
> 
> SELinux denied access requested by serial.cgi. / may be a mislabeled. / default
> SELinux type is root_t, but its current type is user_home_dir_t. Changing this
> file back to the default type, may fix your problem.
> 
> File contexts can be assigned to a file in the following ways.
> 
>    * Files created in a directory receive the file context of the parent
>      directory by default.
>    * The SELinux policy might override the default label inherited from the
>      parent directory by specifying a process running in context A 
> which creates
>      a file in a directory labeled B will instead create the file with label C.
>      An example of this would be the dhcp client running with the 
> dhclient_t type
>      and creating a file in the directory /etc. This file would 
> normally receive
>      the etc_t type due to parental inheritance but instead the file is labeled
>      with the net_conf_t type because the SELinux policy specifies this.
>    * Users can change the file context on a file using tools such as chcon, or
>      restorecon.
> 
> This file could have been mislabeled either by user error, or if an normally
> confined application was run under the wrong domain.
> 
> However, this might also indicate a bug in SELinux because the file should not
> have been labeled with this type.
> 
> If you believe this is a bug, please file a bug report against this package.
> 
> Allowing Access:
> 
> You can restore the default system context to this file by executing the
> restorecon command. restorecon '/', if this file is a directory, you can
> recursively restore using restorecon -R '/'.
> 
> Fix Command:
> 
> /sbin/restorecon '/'
> 
> Additional Information:
> 
> Source Context                system_u:system_r:httpd_sys_script_t:s0
> Target Context                unconfined_u:object_r:user_home_dir_t:s0
> Target Objects                / [ dir ]
> Source                        serial.cgi
> Source Path                   /usr/bin/perl
> Port                          <Unknown>
> Host                          shadow.afar.net
> Source RPM Packages           perl-5.10.0-87.fc12
> Target RPM Packages           filesystem-2.4.30-2.fc12
> Policy RPM                    selinux-policy-3.6.32-113.fc12
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Permissive
> Plugin Name                   restorecon
> Host Name                     shadow.afar.net
> Platform                      Linux shadow.afar.net 2.6.32.11-99.fc12.i686.PAE
>                                #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
> Alert Count                   6
> First Seen                    Tue 04 May 2010 10:27:30 AM PDT
> Last Seen                     Tue 04 May 2010 11:15:28 AM PDT
> Local ID                      6cee89bd-3559-4483-9802-fa2dc320bd26
> Line Numbers
> 
> Raw Audit Messages
> 
> node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292): 
> avc:  denied  { search } for  pid=15632 comm="serial.cgi" name="/" 
> dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0 
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> 
> node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292): 
> arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0 
> a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489 
> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none) 
> ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl" 
> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/selinux/attachments/20100504/1e7ccde9/attachment.bin

More information about the selinux mailing list