---------- Forwarded Message ----------
Subject: Re: http AVC Date: Thursday 02 December 2010, 17:21:25 From: Daniel J Walsh dwalsh@redhat.com To: Tony Molloy tony.molloy@ul.ie
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/02/2010 12:15 PM, Tony Molloy wrote:
On Thursday 02 December 2010 15:04:24 you wrote:
On 12/02/2010 09:35 AM, Tony Molloy wrote:
Hi,
I'm running http on a fully updated Centos 5 system.
httpd-2.2.3-43.el5.centos.3.x86_64 selinux-policy-2.4.6-279.el5_5.2.noarch selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
I'm trying to run a cgi script from a user directory.
With SELinux enabled I get the following error.
[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
(13)Permission denied: exec of '/usr/sbin/suexec' failed
[Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
Premature end of script headers: survey.cgi
With SELinux in permissive mode I get the following AVC
Summary:
SELinux prevented httpd executing access to http files.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
SELinux prevented httpd executing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable content. it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts. Please refer to the man page "man httpd_selinux" or FAQ (http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types.
Allowing Access:
Changing the "httpd_unified" boolean to true will allow this access: "setsebool -P httpd_unified=1"
The following command will allow this access:
setsebool -P httpd_unified=1
Raw Audit Messages
host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied { execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec" dev=sda2 ino=1791541 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 a2=2abae37684d8 a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="suexec" exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_t:s0 key=(null)
So it suggests "setsebool -P httpd_unified=1" will allow this access.
However getsebool -a | grep http gives httpd_unified --> on
So it is allready on.
Thanks,
Tony
Do you have httpd_suexec_disable_trans turned on?
Yep
getsebool -a | grep http
httpd_suexec_disable_trans --> on httpd_enable_cgi --> on
Tony
Turn the httpd_suexec_disable_trans off
setsebool -P httpd_suexec_disable_trans 0
ANd I bet it will work
OK I'll try that, but I won't be able to test it until tomorrow morning. I'll let you know what happens.
Thanks,
Tony
-----------------------------------------
selinux@lists.fedoraproject.org