FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 11-04-2011, 12:46 AM
Marko Uskokovińá
 
Default selinux doesn't prevent php fopen to remote 80/tcp

Hello,
If I understand documentation correctly, SELinux should prevent php
scripts (running via mod_php) from opening remote urls with fopen
function
by default, that is when httpd_can_network_connect --> off

Here are the links that confirm that behavior in the past:

http://www.php.net/manual/en/function.fopen.php#56551
https://bugzilla.redhat.com/show_bug.cgi?id=164700


I've installed and updated Fedora 15 with no selinux modifications:

[root@localhost ~]# cat /etc/redhat-release
Fedora release 15 (Lovelock)

[root@localhost ~]# sestatus
SELinux status: ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬* enabled
SELinuxfs mount: ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬*/selinux
Current mode: ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬* enforcing
Mode from config file: ¬* ¬* ¬* ¬* ¬*enforcing
Policy version: ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬* 26
Policy from config file: ¬* ¬* ¬* ¬*targeted

I've made three tests:
[root@localhost ~]# cat /var/www/html/marko1.php
<?php
$file = fopen ("http://www.example.com", "r");
if (!$file) {
¬* ¬* echo "<p>Unable to open remote file.
";
¬* ¬* exit;
}
while (!feof ($file)) {
¬* ¬* $line = fgets ($file, 1024);
¬* ¬* ¬* ¬* echo ($line);
}
fclose($file);
?>

[root@localhost ~]# cat /var/www/html/marko2.php
<?php
$file = fopen ("http://10.11.12.13:31254/", "r");
if (!$file) {
¬* ¬* echo "<p>Unable to open remote file.
";
¬* ¬* exit;
}
while (!feof ($file)) {
¬* ¬* $line = fgets ($file, 1024);
¬* ¬* ¬* ¬* echo ($line);
}
fclose($file);
?>

[root@localhost ~]# cat /var/www/html/marko3.php
<?php
exec ('wget http://www.example.com -O /tmp/example.html');
exec ('wget http://10.11.12.13:31254 -O /tmp/mail.html');
?>
IP 10.11.12.13 is a remote machine, with apache listening on tcp port 31254
and i can reach it with wget running under unconfined root account.

My httpd booleans are:

[root@localhost ~]# getsebool -a|grep http
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
named_bind_http_port --> off

and semanage -o - gives:
boolean -D
boolean -1 httpd_builtin_scripting
login -D
login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
login -a -s unconfined_u -r 's0-s0:c0.c1023' root
login -a -s system_u -r 's0-s0:c0.c1023' system_u
user -D
port -D
interface -D
node -D
fcontext -D

The problem is that opening marko1.php in browser gives me the html
found on http://www.example.com
and opening marko3.php produces the /tmp/example.html file on server
with the¬*html found on http://www.example.com

The requests for¬*http://10.11.12.13:31254/ both php's and wget-s, are
not successful and are logged logged like:
type=AVC msg=audit(1320370308.125:103): avc: ¬*denied ¬*{ name_connect }
for ¬*pid=1842 comm="wget" dest=31254
scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
type=AVC msg=audit(1320370308.980:104): avc: ¬*denied ¬*{ name_connect }
for ¬*pid=1656 comm="httpd" dest=31254
scontext=system_u:system_r:httpd_t:s0
tcontext=system_ubject_rort_t:s0 tclass=tcp_socket

mod_proxy is commented and not enabled (which is default in F15, AFAIK).

Am I missing something or has the documentation missed this little fact?

--
Marko Uskokovic
Mainstream d.o.o.
www.mainstream.rs
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 11-04-2011, 06:39 AM
Miroslav Grepl
 
Default selinux doesn't prevent php fopen to remote 80/tcp

On 11/04/2011 01:46 AM, Marko Uskokovińá wrote:
> Hello,
> If I understand documentation correctly, SELinux should prevent php
> scripts (running via mod_php) from opening remote urls with fopen
> function
> by default, that is when httpd_can_network_connect --> off
>
> Here are the links that confirm that behavior in the past:
>
> http://www.php.net/manual/en/function.fopen.php#56551
> https://bugzilla.redhat.com/show_bug.cgi?id=164700
>
>
> I've installed and updated Fedora 15 with no selinux modifications:
>
> [root@localhost ~]# cat /etc/redhat-release
> Fedora release 15 (Lovelock)
>
> [root@localhost ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 26
> Policy from config file: targeted
>
> I've made three tests:
> [root@localhost ~]# cat /var/www/html/marko1.php
> <?php
> $file = fopen ("http://www.example.com", "r");
> if (!$file) {
> echo "<p>Unable to open remote file.
";
> exit;
> }
> while (!feof ($file)) {
> $line = fgets ($file, 1024);
> echo ($line);
> }
> fclose($file);
> ?>
>
> [root@localhost ~]# cat /var/www/html/marko2.php
> <?php
> $file = fopen ("http://10.11.12.13:31254/", "r");
> if (!$file) {
> echo "<p>Unable to open remote file.
";
> exit;
> }
> while (!feof ($file)) {
> $line = fgets ($file, 1024);
> echo ($line);
> }
> fclose($file);
> ?>
>
> [root@localhost ~]# cat /var/www/html/marko3.php
> <?php
> exec ('wget http://www.example.com -O /tmp/example.html');
> exec ('wget http://10.11.12.13:31254 -O /tmp/mail.html');
> ?>
> IP 10.11.12.13 is a remote machine, with apache listening on tcp port 31254
> and i can reach it with wget running under unconfined root account.
>
> My httpd booleans are:
>
> [root@localhost ~]# getsebool -a|grep http
> allow_httpd_anon_write --> off
> allow_httpd_mod_auth_ntlm_winbind --> off
> allow_httpd_mod_auth_pam --> off
> allow_httpd_sys_script_anon_write --> off
> httpd_builtin_scripting --> on
> httpd_can_check_spam --> off
> httpd_can_network_connect --> off
> httpd_can_network_connect_cobbler --> off
> httpd_can_network_connect_db --> off
> httpd_can_network_memcache --> off
> httpd_can_network_relay --> off
> httpd_can_sendmail --> off
> httpd_dbus_avahi --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> off
> httpd_execmem --> off
> httpd_read_user_content --> off
> httpd_setrlimit --> off
> httpd_ssi_exec --> off
> httpd_tmp_exec --> off
> httpd_tty_comm --> on
> httpd_unified --> off
> httpd_use_cifs --> off
> httpd_use_gpg --> off
> httpd_use_nfs --> off
> named_bind_http_port --> off
>
> and semanage -o - gives:
> boolean -D
> boolean -1 httpd_builtin_scripting
> login -D
> login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
> login -a -s unconfined_u -r 's0-s0:c0.c1023' root
> login -a -s system_u -r 's0-s0:c0.c1023' system_u
> user -D
> port -D
> interface -D
> node -D
> fcontext -D
>
> The problem is that opening marko1.php in browser gives me the html
> found on http://www.example.com
> and opening marko3.php produces the /tmp/example.html file on server
> with the html found on http://www.example.com
>
> The requests for http://10.11.12.13:31254/ both php's and wget-s, are
> not successful and are logged logged like:
> type=AVC msg=audit(1320370308.125:103): avc: denied { name_connect }
> for pid=1842 comm="wget" dest=31254
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
> type=AVC msg=audit(1320370308.980:104): avc: denied { name_connect }
> for pid=1656 comm="httpd" dest=31254
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>
> mod_proxy is commented and not enabled (which is default in F15, AFAIK).
>
> Am I missing something or has the documentation missed this little fact?
>
> --
> Marko Uskokovic
> Mainstream d.o.o.
> www.mainstream.rs
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
I see we have

# Signal self for shutdown
corenet_tcp_connect_http_port(httpd_t)

in the F15 policy which causes your operation is allowed. We don't
allow it on F16. Could you open a new bug for this.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 11-04-2011, 02:44 PM
Marko Uskokovińá
 
Default selinux doesn't prevent php fopen to remote 80/tcp

Thank you for your answer.

Bug reported as:
https://bugzilla.redhat.com/show_bug.cgi?id=751404

Cheers!



2011/11/4 Miroslav Grepl <mgrepl@redhat.com>:
> On 11/04/2011 01:46 AM, Marko Uskokovińá wrote:
>>
>> Hello,
>> If I understand documentation correctly, SELinux should prevent php
>> scripts (running via mod_php) from opening remote urls with fopen
>> function
>> by default, that is when httpd_can_network_connect --> ¬*off
>>
>> Here are the links that confirm that behavior in the past:
>>
>> http://www.php.net/manual/en/function.fopen.php#56551
>> https://bugzilla.redhat.com/show_bug.cgi?id=164700
>>
>>
>> I've installed and updated Fedora 15 with no selinux modifications:
>>
>> [root@localhost ~]# cat /etc/redhat-release
>> Fedora release 15 (Lovelock)
>>
>> [root@localhost ~]# sestatus
>> SELinux status: ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬* enabled
>> SELinuxfs mount: ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬*/selinux
>> Current mode: ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬* enforcing
>> Mode from config file: ¬* ¬* ¬* ¬* ¬*enforcing
>> Policy version: ¬* ¬* ¬* ¬* ¬* ¬* ¬* ¬* 26
>> Policy from config file: ¬* ¬* ¬* ¬*targeted
>>
>> I've made three tests:
>> [root@localhost ~]# cat /var/www/html/marko1.php
>> <?php
>> $file = fopen ("http://www.example.com", "r");
>> if (!$file) {
>> ¬* ¬* echo "<p>Unable to open remote file.
";
>> ¬* ¬* exit;
>> }
>> while (!feof ($file)) {
>> ¬* ¬* $line = fgets ($file, 1024);
>> ¬* ¬* ¬* ¬* echo ($line);
>> }
>> fclose($file);
>> ?>
>>
>> [root@localhost ~]# cat /var/www/html/marko2.php
>> <?php
>> $file = fopen ("http://10.11.12.13:31254/", "r");
>> if (!$file) {
>> ¬* ¬* echo "<p>Unable to open remote file.
";
>> ¬* ¬* exit;
>> }
>> while (!feof ($file)) {
>> ¬* ¬* $line = fgets ($file, 1024);
>> ¬* ¬* ¬* ¬* echo ($line);
>> }
>> fclose($file);
>> ?>
>>
>> [root@localhost ~]# cat /var/www/html/marko3.php
>> <?php
>> exec ('wget http://www.example.com -O /tmp/example.html');
>> exec ('wget http://10.11.12.13:31254 -O /tmp/mail.html');
>> ?>
>> IP 10.11.12.13 is a remote machine, with apache listening on tcp port
>> 31254
>> and i can reach it with wget running under unconfined root account.
>>
>> My httpd booleans are:
>>
>> [root@localhost ~]# getsebool -a|grep http
>> allow_httpd_anon_write --> ¬*off
>> allow_httpd_mod_auth_ntlm_winbind --> ¬*off
>> allow_httpd_mod_auth_pam --> ¬*off
>> allow_httpd_sys_script_anon_write --> ¬*off
>> httpd_builtin_scripting --> ¬*on
>> httpd_can_check_spam --> ¬*off
>> httpd_can_network_connect --> ¬*off
>> httpd_can_network_connect_cobbler --> ¬*off
>> httpd_can_network_connect_db --> ¬*off
>> httpd_can_network_memcache --> ¬*off
>> httpd_can_network_relay --> ¬*off
>> httpd_can_sendmail --> ¬*off
>> httpd_dbus_avahi --> ¬*off
>> httpd_enable_cgi --> ¬*on
>> httpd_enable_ftp_server --> ¬*off
>> httpd_enable_homedirs --> ¬*off
>> httpd_execmem --> ¬*off
>> httpd_read_user_content --> ¬*off
>> httpd_setrlimit --> ¬*off
>> httpd_ssi_exec --> ¬*off
>> httpd_tmp_exec --> ¬*off
>> httpd_tty_comm --> ¬*on
>> httpd_unified --> ¬*off
>> httpd_use_cifs --> ¬*off
>> httpd_use_gpg --> ¬*off
>> httpd_use_nfs --> ¬*off
>> named_bind_http_port --> ¬*off
>>
>> and semanage -o - gives:
>> boolean -D
>> boolean -1 httpd_builtin_scripting
>> login -D
>> login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__
>> login -a -s unconfined_u -r 's0-s0:c0.c1023' root
>> login -a -s system_u -r 's0-s0:c0.c1023' system_u
>> user -D
>> port -D
>> interface -D
>> node -D
>> fcontext -D
>>
>> The problem is that opening marko1.php in browser gives me the html
>> found on http://www.example.com
>> and opening marko3.php produces the /tmp/example.html file on server
>> with the html found on http://www.example.com
>>
>> The requests for http://10.11.12.13:31254/ both php's and wget-s, are
>> not successful and are logged logged like:
>> type=AVC msg=audit(1320370308.125:103): avc: ¬*denied ¬*{ name_connect }
>> for ¬*pid=1842 comm="wget" dest=31254
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>> type=AVC msg=audit(1320370308.980:104): avc: ¬*denied ¬*{ name_connect }
>> for ¬*pid=1656 comm="httpd" dest=31254
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_ubject_rort_t:s0 tclass=tcp_socket
>>
>> mod_proxy is commented and not enabled (which is default in F15, AFAIK).
>>
>> Am I missing something or has the documentation missed this little fact?
>> ¬*
>>
>> --
>> Marko Uskokovic
>> Mainstream d.o.o.
>> www.mainstream.rs
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> I see we have
>
> # Signal self for shutdown
> corenet_tcp_connect_http_port(httpd_t)
>
> in the F15 policy which causes your operation is allowed. ¬*We don't allow it
> on F16. Could you open a new bug for this.
>



--
Mainstream d.o.o.
napredna internet resenja
tel: +381 11 3038768
mob: +381 64 150 93 29
www.mainstream.rs
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 05:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org