Thank you for your answer.
Bug reported as:
https://bugzilla.redhat.com/show_bug.cgi?id=751404
Cheers!
2011/11/4 Miroslav Grepl <mgrepl@redhat.com>:
> On 11/04/2011 01:46 AM, Marko Uskoković wrote:
>>
>> Hello,
>> If I understand documentation correctly, SELinux should prevent php
>> scripts (running via mod_php) from opening remote urls with fopen
>> function
>> by default, that is when httpd_can_network_connect --> Â*off
>>
>> Here are the links that confirm that behavior in the past:
>>
>> http://www.php.net/manual/en/function.fopen.php#56551
>> https://bugzilla.redhat.com/show_bug.cgi?id=164700
>>
>>
>> I've installed and updated Fedora 15 with no selinux modifications:
>>
>> [root@localhost ~]# cat /etc/redhat-release
>> Fedora release 15 (Lovelock)
>>
>> [root@localhost ~]# sestatus
>> SELinux status: Â* Â* Â* Â* Â* Â* Â* Â* enabled
>> SELinuxfs mount: Â* Â* Â* Â* Â* Â* Â* Â*/selinux
>> Current mode: Â* Â* Â* Â* Â* Â* Â* Â* Â* enforcing
>> Mode from config file: Â* Â* Â* Â* Â*enforcing
>> Policy version: Â* Â* Â* Â* Â* Â* Â* Â* 26
>> Policy from config file: Â* Â* Â* Â*targeted
>>
>> I've made three tests:
>> [root@localhost ~]# cat /var/www/html/marko1.php
>> <?php
>> $file = fopen ("http://www.example.com", "r");
>> if (!$file) {
>> Â* Â* echo "<p>Unable to open remote file.
";
>> Â* Â* exit;
>> }
>> while (!feof ($file)) {
>> Â* Â* $line = fgets ($file, 1024);
>> Â* Â* Â* Â* echo ($line);
>> }
>> fclose($file);
>> ?>
>>
>> [root@localhost ~]# cat /var/www/html/marko2.php
>> <?php
>> $file = fopen ("http://10.11.12.13:31254/", "r");
>> if (!$file) {
>> Â* Â* echo "<p>Unable to open remote file.
";
>> Â* Â* exit;
>> }
>> while (!feof ($file)) {
>> Â* Â* $line = fgets ($file, 1024);
>> Â* Â* Â* Â* echo ($line);
>> }
>> fclose($file);
>> ?>
>>
>> [root@localhost ~]# cat /var/www/html/marko3.php
>> <?php
>> exec ('wget http://www.example.com -O /tmp/example.html');
>> exec ('wget http://10.11.12.13:31254 -O /tmp/mail.html');
>> ?>
>> IP 10.11.12.13 is a remote machine, with apache listening on tcp port
>> 31254
>> and i can reach it with wget running under unconfined root account.
>>
>> My httpd booleans are:
>>
>> [root@localhost ~]# getsebool -a|grep http
>> allow_httpd_anon_write --> Â*off
>> allow_httpd_mod_auth_ntlm_winbind --> Â*off
>> allow_httpd_mod_auth_pam --> Â*off
>> allow_httpd_sys_script_anon_write --> Â*off
>> httpd_builtin_scripting --> Â*on
>> httpd_can_check_spam --> Â*off
>> httpd_can_network_connect --> Â*off
>> httpd_can_network_connect_cobbler --> Â*off
>> httpd_can_network_connect_db --> Â*off
>> httpd_can_network_memcache --> Â*off
>> httpd_can_network_relay --> Â*off
>> httpd_can_sendmail --> Â*off
>> httpd_dbus_avahi --> Â*off
>> httpd_enable_cgi --> Â*on
>> httpd_enable_ftp_server --> Â*off
>> httpd_enable_homedirs --> Â*off
>> httpd_execmem --> Â*off
>> httpd_read_user_content --> Â*off
>> httpd_setrlimit --> Â*off
>> httpd_ssi_exec --> Â*off
>> httpd_tmp_exec --> Â*off
>> httpd_tty_comm --> Â*on
>> httpd_unified --> Â*off
>> httpd_use_cifs --> Â*off
>> httpd_use_gpg --> Â*off
>> httpd_use_nfs --> Â*off
>> named_bind_http_port --> Â*off
>>
>> and semanage -o - gives:
>> boolean -D
>> boolean -1 httpd_builtin_scripting
>> login -D
>> login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
>> login -a -s unconfined_u -r 's0-s0:c0.c1023' root
>> login -a -s system_u -r 's0-s0:c0.c1023' system_u
>> user -D
>> port -D
>> interface -D
>> node -D
>> fcontext -D
>>
>> The problem is that opening marko1.php in browser gives me the html
>> found on http://www.example.com
>> and opening marko3.php produces the /tmp/example.html file on server
>> with the html found on http://www.example.com
>>
>> The requests for http://10.11.12.13:31254/ both php's and wget-s, are
>> not successful and are logged logged like:
>> type=AVC msg=audit(1320370308.125:103): avc: Â*denied Â*{ name_connect }
>> for Â*pid=1842 comm="wget" dest=31254
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u
bject_r
ort_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1320370308.980:104): avc: Â*denied Â*{ name_connect }
>> for Â*pid=1656 comm="httpd" dest=31254
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u
bject_r
ort_t:s0 tclass=tcp_socket
>>
>> mod_proxy is commented and not enabled (which is default in F15, AFAIK).
>>
>> Am I missing something or has the documentation missed this little fact?
>> Â*
>>
>> --
>> Marko Uskokovic
>> Mainstream d.o.o.
>> www.mainstream.rs
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> I see we have
>
> # Signal self for shutdown
> corenet_tcp_connect_http_port(httpd_t)
>
> in the F15 policy which causes your operation is allowed. Â*We don't allow it
> on F16. Could you open a new bug for this.
>
--
Mainstream d.o.o.
napredna internet resenja
tel: +381 11 3038768
mob: +381 64 150 93 29
www.mainstream.rs
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
selinux doesn't prevent php fopen to remote 80/tcp
