http AVC

Daniel J Walsh dwalsh at redhat.com
Thu Dec 2 15:04:24 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/02/2010 09:35 AM, Tony Molloy wrote:
> 
> Hi,
> 
> I'm running http on a fully updated Centos 5 system.
> 
> httpd-2.2.3-43.el5.centos.3.x86_64
> selinux-policy-2.4.6-279.el5_5.2.noarch
> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
> 
> 
> I'm trying to run a cgi script from a user directory.
> 
> With SELinux enabled I get the following error.
> 
> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
>    (13)Permission denied: exec of '/usr/sbin/suexec' failed
> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8] 
>    Premature end of script headers: survey.cgi
> 
> 
> With SELinux in permissive mode I get the following AVC
> 
> Summary:
> 
> SELinux prevented httpd executing access to http files.
> 
> Detailed Description:
> 
> [SELinux is in permissive mode, the operation would have been denied but was
> permitted due to permissive mode.]
> 
> SELinux prevented httpd executing access to http files. Ordinarily httpd is
> allowed full access to all files labeled with http file context. This machine
> has a tightened security policy with the httpd_unified turned off, this 
> requires
> explicit labeling of all files. If a file is a cgi script it needs to be 
> labeled
> with httpd_TYPE_script_exec_t in order to be executed. If it is read-only
> content, it needs to be labeled httpd_TYPE_content_t, it is writable content. 
> it
> needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can
> use the chcon command to change these contexts. Please refer to the man page
> "man httpd_selinux" or FAQ (http://fedora.redhat.com/docs/selinux-apache-fc3)
> "TYPE" refers to one of "sys", "user" or "staff" or potentially other script
> types.
> 
> Allowing Access:
> 
> Changing the "httpd_unified" boolean to true will allow this access: 
> "setsebool -P httpd_unified=1"
> 
> The following command will allow this access:
> 
> setsebool -P httpd_unified=1
> 
> Additional Information:
> 
> Source Context                system_u:system_r:httpd_t
> Target Context                system_u:object_r:httpd_suexec_exec_t
> Target Objects                /usr/sbin/suexec [ file ]
> Source                        suexec
> Source Path                   /usr/sbin/suexec
> Port                          <Unknown>
> Host                          a.b.c.d
> Source RPM Packages           httpd-2.2.3-43.el5.centos.3
> Target RPM Packages           httpd-2.2.3-43.el5.centos.
> Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   httpd_unified
> Host Name                     a.b.c.d
> Platform                      Linux a.b.c.d 2.6.18-194.17.4.el5
>                               #1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64
> Alert Count                   2
> First Seen                    Thu Dec  2 13:09:20 2010
> Last Seen                     Thu Dec  2 13:33:32 2010
> Local ID                      4a26d013-6f04-4a0f-af21-760368cc9908
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc:  denied  { 
> execute_no_trans } for  pid=5567 comm="httpd" path="/usr/sbin/suexec" dev=sda2 
> ino=1791541 scontext=system_u:system_r:httpd_t:s0 
> tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
> 
> host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e 
> syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 a2=2abae37684d8 
> a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 gid=48 euid=0 suid=0 
> fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="suexec" 
> exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> 
> So it suggests "setsebool -P httpd_unified=1" will allow this access.
> 
> However getsebool -a | grep http gives
> httpd_unified --> on
> 
> So it is allready on.
> 
> 
> Thanks,
> 
> Tony
> 
> 
> 
> 
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Do you have httpd_suexec_disable_trans turned on?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz3tXgACgkQrlYvE4MpobNvqACgyPDZttnqlfsDScV9lgqXOWfR
fL0AoOLMqXXVp3QsD43emMuwZzUsFXs6
=xSNL
-----END PGP SIGNATURE-----

More information about the selinux mailing list