Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   Apache CGI scripts - how to run them cleanly (http://www.linux-archive.org/fedora-selinux-support/366168-apache-cgi-scripts-how-run-them-cleanly.html)

Lars Poulsen 05-04-2010 07:03 PM

Apache CGI scripts - how to run them cleanly
 
I am trying to get my Fedora 12 systems to run cleanly with SELinux
enabled. Previously I had just been running in permissive mode and
mostly ignoring the alerts, but my ambition level has gone up!

After a few days of following up on every alert I saw by tweaking
booleans and file context types appropriately, I am pleased with how
few violations are being reported, but I am now getting to some that
I cannot figure out, such as the one below.

It originates in a CGI script written in PERL. In my installations,
the base of the website data is in /home/httpd rather than in
/var/www; this choice is because I try to keep permanent data that
should be kept across OS version updates out of the root filesystem,
and the website is too small to merit a filesystem of its own. It
does mean that I need to tweek a bunch of labels, such as
* setsebool -P httpd_read_user_content 1
* setsebool -P httpd_enable_home_dirs 1
* setsebool -P httpd_read_user_content 1
* setsebool -P samba_enable_home_dirs 1
* setsebool -P use_samba_home_dirs 1
* setsebool -P samba_export_all_rw 1
*
* chcon -R -t httpd_user_content_t /var/log/phone
* chcon -R -t httpd_user_content_t /home/httpd/twiki/data
* chcon -R -t httpd_sys_script_exec_t /home/httpd/twiki/bin
* chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
* chcon -t httpd_sys_content_t /home/httpd
* chcon -R -t httpd_sys_content_t /home/httpd/html
* chcon -R -t httpd_user_content_t /home/sales/serial
* chcon -R -t htppd_user_content_t /home/sales/leads
But the one that baffles me the most is this one, which comes up when
I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).

I *think* the "search" access is triggered when the script is launched.
SELinux says that / is labeled as user_home_dir_t, but this is not
true; ls -Zd confirms that it is indeed labeled as root_t. And even
if it were labeled user_homme_dir_t, should the boolean
httpd_enable_home_dirs not make it allright ?

Any insights would be appreciated.

Lars Poulsen
Afar Communications
-------------------------------------------------------------------------------------------------------------------------
Summary:

SELinux is preventing /usr/bin/perl "search" access to /.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by serial.cgi. / may be a mislabeled. / default
SELinux type is root_t, but its current type is user_home_dir_t. Changing this
file back to the default type, may fix your problem.

File contexts can be assigned to a file in the following ways.

* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A
which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the
dhclient_t type
and creating a file in the directory /etc. This file would
normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/', if this file is a directory, you can
recursively restore using restorecon -R '/'.

Fix Command:

/sbin/restorecon '/'

Additional Information:

Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects / [ dir ]
Source serial.cgi
Source Path /usr/bin/perl
Port <Unknown>
Host shadow.afar.net
Source RPM Packages perl-5.10.0-87.fc12
Target RPM Packages filesystem-2.4.30-2.fc12
Policy RPM selinux-policy-3.6.32-113.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name restorecon
Host Name shadow.afar.net
Platform Linux shadow.afar.net 2.6.32.11-99.fc12.i686.PAE
#1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
Alert Count 6
First Seen Tue 04 May 2010 10:27:30 AM PDT
Last Seen Tue 04 May 2010 11:15:28 AM PDT
Local ID 6cee89bd-3559-4483-9802-fa2dc320bd26
Line Numbers

Raw Audit Messages

node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
avc: denied { search } for pid=15632 comm="serial.cgi" name="/"
dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir

node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 05-04-2010 07:21 PM

Apache CGI scripts - how to run them cleanly
 
On Tue, May 04, 2010 at 12:03:28PM -0700, Lars Poulsen wrote:
> I am trying to get my Fedora 12 systems to run cleanly with SELinux
> enabled. Previously I had just been running in permissive mode and
> mostly ignoring the alerts, but my ambition level has gone up!
>
> After a few days of following up on every alert I saw by tweaking
> booleans and file context types appropriately, I am pleased with how
> few violations are being reported, but I am now getting to some that
> I cannot figure out, such as the one below.
>
> It originates in a CGI script written in PERL. In my installations,
> the base of the website data is in /home/httpd rather than in
> /var/www; this choice is because I try to keep permanent data that
> should be kept across OS version updates out of the root filesystem,
> and the website is too small to merit a filesystem of its own. It
> does mean that I need to tweek a bunch of labels, such as
> * setsebool -P httpd_read_user_content 1
> * setsebool -P httpd_enable_home_dirs 1
> * setsebool -P httpd_read_user_content 1
> * setsebool -P samba_enable_home_dirs 1
> * setsebool -P use_samba_home_dirs 1
> * setsebool -P samba_export_all_rw 1
> *
> * chcon -R -t httpd_user_content_t /var/log/phone
> * chcon -R -t httpd_user_content_t /home/httpd/twiki/data
> * chcon -R -t httpd_sys_script_exec_t /home/httpd/twiki/bin
> * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
> * chcon -t httpd_sys_content_t /home/httpd
> * chcon -R -t httpd_sys_content_t /home/httpd/html
> * chcon -R -t httpd_user_content_t /home/sales/serial
> * chcon -R -t htppd_user_content_t /home/sales/leads
> But the one that baffles me the most is this one, which comes up when
> I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
>
> I *think* the "search" access is triggered when the script is launched.
> SELinux says that / is labeled as user_home_dir_t, but this is not
> true; ls -Zd confirms that it is indeed labeled as root_t. And even
> if it were labeled user_homme_dir_t, should the boolean
> httpd_enable_home_dirs not make it allright ?

Did you mount a seperate partition under /home or /home/*?

The AVC denial also show the device in question. It may in fact be / on the mounted partition and not your main /.
I think a restorecon -R /home or /home/* should solve it though

>
> Any insights would be appreciated.
>
> Lars Poulsen
> Afar Communications
> -------------------------------------------------------------------------------------------------------------------------
> Summary:
>
> SELinux is preventing /usr/bin/perl "search" access to /.
>
> Detailed Description:
>
> [SELinux is in permissive mode. This access was not denied.]
>
> SELinux denied access requested by serial.cgi. / may be a mislabeled. / default
> SELinux type is root_t, but its current type is user_home_dir_t. Changing this
> file back to the default type, may fix your problem.
>
> File contexts can be assigned to a file in the following ways.
>
> * Files created in a directory receive the file context of the parent
> directory by default.
> * The SELinux policy might override the default label inherited from the
> parent directory by specifying a process running in context A
> which creates
> a file in a directory labeled B will instead create the file with label C.
> An example of this would be the dhcp client running with the
> dhclient_t type
> and creating a file in the directory /etc. This file would
> normally receive
> the etc_t type due to parental inheritance but instead the file is labeled
> with the net_conf_t type because the SELinux policy specifies this.
> * Users can change the file context on a file using tools such as chcon, or
> restorecon.
>
> This file could have been mislabeled either by user error, or if an normally
> confined application was run under the wrong domain.
>
> However, this might also indicate a bug in SELinux because the file should not
> have been labeled with this type.
>
> If you believe this is a bug, please file a bug report against this package.
>
> Allowing Access:
>
> You can restore the default system context to this file by executing the
> restorecon command. restorecon '/', if this file is a directory, you can
> recursively restore using restorecon -R '/'.
>
> Fix Command:
>
> /sbin/restorecon '/'
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_sys_script_t:s0
> Target Context unconfined_u:object_r:user_home_dir_t:s0
> Target Objects / [ dir ]
> Source serial.cgi
> Source Path /usr/bin/perl
> Port <Unknown>
> Host shadow.afar.net
> Source RPM Packages perl-5.10.0-87.fc12
> Target RPM Packages filesystem-2.4.30-2.fc12
> Policy RPM selinux-policy-3.6.32-113.fc12
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Permissive
> Plugin Name restorecon
> Host Name shadow.afar.net
> Platform Linux shadow.afar.net 2.6.32.11-99.fc12.i686.PAE
> #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
> Alert Count 6
> First Seen Tue 04 May 2010 10:27:30 AM PDT
> Last Seen Tue 04 May 2010 11:15:28 AM PDT
> Local ID 6cee89bd-3559-4483-9802-fa2dc320bd26
> Line Numbers
>
> Raw Audit Messages
>
> node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
> avc: denied { search } for pid=15632 comm="serial.cgi" name="/"
> dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
>
> node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
> arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
> a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
> euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Lars Poulsen 05-04-2010 07:51 PM

Apache CGI scripts - how to run them cleanly
 
>On Tue, May 04, 2010 at 12:03:28PM -0700, Lars Poulsen wrote:
> > * setsebool -P httpd_read_user_content 1
> > * setsebool -P httpd_enable_home_dirs 1
> > * setsebool -P httpd_read_user_content 1
> > * ....
> > * chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
> > * chcon -t httpd_sys_content_t /home/httpd
> > * chcon -R -t httpd_sys_content_t /home/httpd/html
> > * chcon -R -t httpd_user_content_t /home/sales/serial
> > * chcon -R -t htppd_user_content_t /home/sales/leads
> > But the one that baffles me the most is this one, which comes up when
> > I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
> >
> > I *think* the "search" access is triggered when the script is launched.
> > SELinux says that / is labeled as user_home_dir_t, but this is not
> > true; ls -Zd confirms that it is indeed labeled as root_t. And even
> > if it were labeled user_home_dir_t, should the boolean
> > httpd_enable_home_dirs not make it allright ?

At 12:21 PM 5/4/2010, Dominick Grift wrote:
>Did you mount a seperate partition under /home or /home/*?
>The AVC denial also show the device in question. It may in fact be /
>on the mounted partition and not your main /.
>I think a restorecon -R /home or /home/* should solve it though

Indeed, /home is a separate filesystem.
ls -Zd tells me that /home is labeled home_root_t.
As shown above, /home/httpd is labeled httpd_sys_content_t.
What do you think is the "correct" label for them to allow them to
house a CGI program?

Lars Poulsen


> >
> -------------------------------------------------------------------------------------------------------------------------
> > Summary:
> >
> > SELinux is preventing /usr/bin/perl "search" access to /.
> >
> > Detailed Description:
> >
> > [SELinux is in permissive mode. This access was not denied.]
> >
> > SELinux denied access requested by serial.cgi. / may be a
> mislabeled. / default
> > SELinux type is root_t, but its current type is user_home_dir_t.
> Changing this
> > file back to the default type, may fix your problem.
> >
> > File contexts can be assigned to a file in the following ways.
> >
> > * Files created in a directory receive the file context of the parent
> > directory by default.
> > * The SELinux policy might override the default label inherited from the
> > parent directory by specifying a process running in context A
> > which creates
> > a file in a directory labeled B will instead create the file
> with label C.
> > An example of this would be the dhcp client running with the
> > dhclient_t type
> > and creating a file in the directory /etc. This file would
> > normally receive
> > the etc_t type due to parental inheritance but instead the
> file is labeled
> > with the net_conf_t type because the SELinux policy specifies this.
> > * Users can change the file context on a file using tools such
> as chcon, or
> > restorecon.
> >
> > This file could have been mislabeled either by user error, or if
> an normally
> > confined application was run under the wrong domain.
> >
> > However, this might also indicate a bug in SELinux because the
> file should not
> > have been labeled with this type.
> >
> > If you believe this is a bug, please file a bug report against
> this package.
> >
> > Allowing Access:
> >
> > You can restore the default system context to this file by executing the
> > restorecon command. restorecon '/', if this file is a directory, you can
> > recursively restore using restorecon -R '/'.
> >
> > Fix Command:
> >
> > /sbin/restorecon '/'
> >
> > Additional Information:
> >
> > Source Context system_u:system_r:httpd_sys_script_t:s0
> > Target Context unconfined_u:object_r:user_home_dir_t:s0
> > Target Objects / [ dir ]
> > Source serial.cgi
> > Source Path /usr/bin/perl
> > Port <Unknown>
> > Host shadow.afar.net
> > Source RPM Packages perl-5.10.0-87.fc12
> > Target RPM Packages filesystem-2.4.30-2.fc12
> > Policy RPM selinux-policy-3.6.32-113.fc12
> > Selinux Enabled True
> > Policy Type targeted
> > Enforcing Mode Permissive
> > Plugin Name restorecon
> > Host Name shadow.afar.net
> > Platform Linux shadow.afar.net
> 2.6.32.11-99.fc12.i686.PAE
> > #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
> > Alert Count 6
> > First Seen Tue 04 May 2010 10:27:30 AM PDT
> > Last Seen Tue 04 May 2010 11:15:28 AM PDT
> > Local ID 6cee89bd-3559-4483-9802-fa2dc320bd26
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
> > avc: denied { search } for pid=15632 comm="serial.cgi" name="/"
> > dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
> > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
> >
> > node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
> > arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
> > a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
> > euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
> > ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
> > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>--
>selinux mailing list
>selinux@lists.fedoraproject.org
>https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 07:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.