http AVC
Daniel J Walsh
dwalsh at redhat.com
Thu Dec 2 15:04:24 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/02/2010 09:35 AM, Tony Molloy wrote:
>
> Hi,
>
> I'm running http on a fully updated Centos 5 system.
>
> httpd-2.2.3-43.el5.centos.3.x86_64
> selinux-policy-2.4.6-279.el5_5.2.noarch
> selinux-policy-targeted-2.4.6-279.el5_5.2.noarch
>
>
> I'm trying to run a cgi script from a user directory.
>
> With SELinux enabled I get the following error.
>
> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
> (13)Permission denied: exec of '/usr/sbin/suexec' failed
> [Thu Dec 02 12:10:11 2010] [error] [client 193.1.104.8]
> Premature end of script headers: survey.cgi
>
>
> With SELinux in permissive mode I get the following AVC
>
> Summary:
>
> SELinux prevented httpd executing access to http files.
>
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied but was
> permitted due to permissive mode.]
>
> SELinux prevented httpd executing access to http files. Ordinarily httpd is
> allowed full access to all files labeled with http file context. This machine
> has a tightened security policy with the httpd_unified turned off, this
> requires
> explicit labeling of all files. If a file is a cgi script it needs to be
> labeled
> with httpd_TYPE_script_exec_t in order to be executed. If it is read-only
> content, it needs to be labeled httpd_TYPE_content_t, it is writable content.
> it
> needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can
> use the chcon command to change these contexts. Please refer to the man page
> "man httpd_selinux" or FAQ (http://fedora.redhat.com/docs/selinux-apache-fc3)
> "TYPE" refers to one of "sys", "user" or "staff" or potentially other script
> types.
>
> Allowing Access:
>
> Changing the "httpd_unified" boolean to true will allow this access:
> "setsebool -P httpd_unified=1"
>
> The following command will allow this access:
>
> setsebool -P httpd_unified=1
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t
> Target Context system_u:object_r:httpd_suexec_exec_t
> Target Objects /usr/sbin/suexec [ file ]
> Source suexec
> Source Path /usr/sbin/suexec
> Port <Unknown>
> Host a.b.c.d
> Source RPM Packages httpd-2.2.3-43.el5.centos.3
> Target RPM Packages httpd-2.2.3-43.el5.centos.
> Policy RPM selinux-policy-2.4.6-279.el5_5.2
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Permissive
> Plugin Name httpd_unified
> Host Name a.b.c.d
> Platform Linux a.b.c.d 2.6.18-194.17.4.el5
> #1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64
> Alert Count 2
> First Seen Thu Dec 2 13:09:20 2010
> Last Seen Thu Dec 2 13:33:32 2010
> Local ID 4a26d013-6f04-4a0f-af21-760368cc9908
> Line Numbers
>
> Raw Audit Messages
>
> host=a.b.c.d type=AVC msg=audit(1291296812.604:97588): avc: denied {
> execute_no_trans } for pid=5567 comm="httpd" path="/usr/sbin/suexec" dev=sda2
> ino=1791541 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:httpd_suexec_exec_t:s0 tclass=file
>
> host=a.b.c.d type=SYSCALL msg=audit(1291296812.604:97588): arch=c000003e
> syscall=59 success=yes exit=0 a0=2abacad53449 a1=2abae3768e90 a2=2abae37684d8
> a3=0 items=0 ppid=789 pid=5567 auid=4294967295 uid=48 gid=48 euid=0 suid=0
> fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="suexec"
> exe="/usr/sbin/suexec" subj=system_u:system_r:httpd_t:s0 key=(null)
>
>
> So it suggests "setsebool -P httpd_unified=1" will allow this access.
>
> However getsebool -a | grep http gives
> httpd_unified --> on
>
> So it is allready on.
>
>
> Thanks,
>
> Tony
>
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Do you have httpd_suexec_disable_trans turned on?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkz3tXgACgkQrlYvE4MpobNvqACgyPDZttnqlfsDScV9lgqXOWfR
fL0AoOLMqXXVp3QsD43emMuwZzUsFXs6
=xSNL
-----END PGP SIGNATURE-----
More information about the selinux
mailing list