---------- Forwarded Message ----------
Subject: Re: http AVC
Date: Thursday 02 December 2010, 17:21:25
From: Daniel J Walsh <dwalsh@redhat.com>
To: Tony Molloy <tony.molloy@ul.ie>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 12:15 PM, Tony Molloy wrote:
> On Thursday 02 December 2010 15:04:24 you wrote:
>> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>>> Hi,
>>>
>>> I'm running http on a fully updated Centos 5 system.
>>>
>>> httpd-2.2.3-43.el5.centos.3.x86_64
>>> selinux-policy-2.4.6-279.el5_5.2.noarch
>>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>>
>>>
>>> I'm trying to run a cgi script from a user directory.
>>>
>>> With SELinux enabled I get the following error.
>>>
>>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
>>>
>>> (13)Permission denied: exec of '/usr/sbin/suexec' failed
>>>
>>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
>>>
>>> Premature end of script headers: survey.cgi
>>>
>>> With SELinux in permissive mode I get the following AVC
>>>
>>> Summary:
>>>
>>> SELinux prevented httpd executing access to http files.
>>>
>>> Detailed Description:
>>>
>>> [SELinux is in permissive mode, the operation would have been denied but
>>> was permitted due to permissive mode.]
>>>
>>> SELinux prevented httpd executing access to http files. Ordinarily httpd
>>> is allowed full access to all files labeled with http file context. This
>>> machine has a tightened security policy with the httpd_unified turned
>>> off, this requires
>>> explicit labeling of all files. If a file is a cgi script it needs to be
>>> labeled
>>> with httpd_TYPE_script_exec_t in order to be executed. If it is read-only
>>> content, it needs to be labeled httpd_TYPE_content_t, it is writable
>>> content. it
>>> needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You
>>> can use the chcon command to change these contexts. Please refer to the
>>> man page "man httpd_selinux" or FAQ
>>> (http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one
>>> of "sys", "user" or "staff" or potentially other script types.
>>>
>>> Allowing Access:
>>>
>>> Changing the "httpd_unified" boolean to true will allow this access:
>>> "setsebool -P httpd_unified=1"
>>>
>>> The following command will allow this access:
>>>
>>> setsebool -P httpd_unified=1
>
>>> Raw Audit Messages
>>>
>>> host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {
>>> execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec"
>>> dev=sda2 ino=1791541 scontext=system_u:system_r:httpd_t:s0
>>> tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
>>>
>>> host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e
>>> syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90
>>> a2=2abae37684d8 a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48
>>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none)
>>> ses=4294967295 comm="suexec" exe="/usr/sbin/suexec"
>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>>
>>> So it suggests "setsebool -P httpd_unified=1" will allow this access.
>>>
>>> However getsebool -a | grep http gives
>>> httpd_unified --> on
>>>
>>> So it is allready on.
>>>
>>>
>>> Thanks,
>>>
>>> Tony
>>
>> Do you have httpd_suexec_disable_trans turned on?
>
>
> Yep
>
> getsebool -a | grep http
>
> httpd_suexec_disable_trans --> on
> httpd_enable_cgi --> on
>
>
> Tony
>
>
> >
>Turn the httpd_suexec_disable_trans off
>setsebool -P httpd_suexec_disable_trans 0
>ANd I bet it will work
OK I'll try that, but I won't be able to test it until tomorrow morning.
I'll let you know what happens.
Thanks,
Tony
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz31ZUACgkQrlYvE4MpobPhRQCeNTeiAI98Szsc1dVmFpP0SynC
RkMAnRlIiPwYqUYzhdbtGv5Hav8N+Ngk
=x3GH
-----END PGP SIGNATURE-----
-----------------------------------------