---------- Forwarded Message ----------
Subject: Re: http AVC
Date: Thursday 02 December 2010, 17:21:25
From: Daniel J Walsh <dwalsh(a)redhat.com>
To: Tony Molloy <tony.molloy(a)ul.ie>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 12:15 PM, Tony Molloy wrote:
On Thursday 02 December 2010 15:04:24 you wrote:
> On 12/02/2010 09:35 AM, Tony Molloy wrote:
>> Hi,
>>
>> I'm running http on a fully updated Centos 5 system.
>>
>> httpd-2.2.3-43.el5.centos.3.x86_64
>> selinux-policy-2.4.6-279.el5_5.2.noarch
>> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>>
>>
>> I'm trying to run a cgi script from a user directory.
>>
>> With SELinux enabled I get the following error.
>>
>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
>>
>> (13)Permission denied: exec of '/usr/sbin/suexec' failed
>>
>> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
>>
>> Premature end of script headers: survey.cgi
>>
>> With SELinux in permissive mode I get the following AVC
>>
>> Summary:
>>
>> SELinux prevented httpd executing access to http files.
>>
>> Detailed Description:
>>
>> [SELinux is in permissive mode, the operation would have been denied but
>> was permitted due to permissive mode.]
>>
>> SELinux prevented httpd executing access to http files. Ordinarily httpd
>> is allowed full access to all files labeled with http file context. This
>> machine has a tightened security policy with the httpd_unified turned
>> off, this requires
>> explicit labeling of all files. If a file is a cgi script it needs to be
>> labeled
>> with httpd_TYPE_script_exec_t in order to be executed. If it is read-only
>> content, it needs to be labeled httpd_TYPE_content_t, it is writable
>> content. it
>> needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You
>> can use the chcon command to change these contexts. Please refer to the
>> man page "man httpd_selinux" or FAQ
>> (
http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to
one
>> of "sys", "user" or "staff" or potentially other
script types.
>>
>> Allowing Access:
>>
>> Changing the "httpd_unified" boolean to true will allow this access:
>> "setsebool -P httpd_unified=1"
>>
>> The following command will allow this access:
>>
>> setsebool -P httpd_unified=1
>> Raw Audit Messages
>>
>> host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {
>> execute_no_trans } for pid=5567 comm="httpd"
path="/usr/sbin/suexec"
>> dev=sda2 ino=1791541 scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
>>
>> host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e
>> syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90
>> a2=2abae37684d8 a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48
>> gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none)
>> ses=4294967295 comm="suexec" exe="/usr/sbin/suexec"
>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>
>>
>> So it suggests "setsebool -P httpd_unified=1" will allow this access.
>>
>> However getsebool -a | grep http gives
>> httpd_unified --> on
>>
>> So it is allready on.
>>
>>
>> Thanks,
>>
>> Tony
>
> Do you have httpd_suexec_disable_trans turned on?
Yep
getsebool -a | grep http
httpd_suexec_disable_trans --> on
httpd_enable_cgi --> on
Tony
>
Turn the httpd_suexec_disable_trans off
setsebool -P httpd_suexec_disable_trans 0
ANd I bet it will work
OK I'll try that, but I won't be able to test it until tomorrow morning.
I'll let you know what happens.
Thanks,
Tony
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAkz31ZUACgkQrlYvE4MpobPhRQCeNTeiAI98Szsc1dVmFpP0SynC
RkMAnRlIiPwYqUYzhdbtGv5Hav8N+Ngk
=x3GH
-----END PGP SIGNATURE-----
-----------------------------------------