AVC question

Daniel J Walsh dwalsh at redhat.com
Wed Jan 9 13:56:38 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/08/2013 11:28 PM, David Highley wrote:
> I get the following avc from using mythtv's web interface.
> 
> ---- time->Tue Jan  8 19:14:57 2013 type=SYSCALL
> msg=audit(1357701297.336:4077): arch=c000003e syscall=109 success=no
> exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0 ppid=5777 pid=8018 
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 
> fsgid=48 tty=(none) ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" 
> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
> msg=audit(1357701297.336:4077): avc:  denied  { setpgid } for pid=8018
> comm="mythweb.pl" scontext=system_u:system_r:httpd_sys_script_t:s0 
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process ---- 
> time->Tue Jan  8 19:17:56 2013 type=SYSCALL msg=audit(1357701476.763:4085):
> arch=c000003e syscall=109 success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0
> items=0 ppid=5774 pid=8113 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="mythweb.pl" exe="/usr/bin/perl" 
> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
> msg=audit(1357701476.763:4085): avc:  denied  { setpgid } for pid=8113
> comm="mythweb.pl" scontext=system_u:system_r:httpd_sys_script_t:s0 
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> 
> I checked the script, ls -Z /usr/share/mythweb/mythweb.pl -rwxr-xr-x.
> apache apache system_u:object_r:httpd_sys_script_exec_t:s0 
> /usr/share/mythweb/mythweb.pl
> 
> Should I need to define the following?
> 
> require { type httpd_sys_script_t; class process setpgid; }
> 
> #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> self:process setpgid; -- selinux mailing list 
> selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
Yes, although I guess the question is whether we should allow this by default.
 What risk do we have from allowing cgi script the ability to call setpgid.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlDtdxYACgkQrlYvE4MpobPgqACeND2Nj5YGrT/dPlxcSAFOznR2
EToAnRkR310HdPcj26w+7GNNhFUaYZ+n
=Zeay
-----END PGP SIGNATURE-----

More information about the selinux mailing list