Linux Archive - Permission denied to cgi-script when enforcing selinux on RHEL6

Linux Archive (http://www.linux-archive.org/)

- Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)

- - Permission denied to cgi-script when enforcing selinux on RHEL6 (http://www.linux-archive.org/fedora-selinux-support/654530-permission-denied-cgi-script-when-enforcing-selinux-rhel6.html)

Permission denied to cgi-script when enforcing selinux on RHEL6

Greetings all,

I've set up a simple apache webserver with cgi-script executing
python code on RHEL6. With selinux disabled, the script returns
output fine to a browser but with selinux enforced I receive a 500
Internal Server error and permission denied in ssl_error_log with
nothing logged to audit.log even though don't audit rules is disabled.
audit2allow -a -l is clean as well. I am able to successfully
execute the script on the command line under apache's context httpd_t,
so it's only when returning the content to the browser that the 500
Internal Server error occurs. Anyone have any idea to help
troubleshoot?

Pertinent information below, any help is greatly appreciated.

Thanks in advance,

>> ssl_error_log when accessing through the browser:
[Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
'/var/www/cgi-bin/index.py' failed
[Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py

>> Apache is running under context httpd_t:
# /bin/ps axZ | grep http
unconfined_u:system_r:httpd_t:s0 12716 ? Ss 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12719 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12720 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12721 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12722 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12723 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12724 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12725 ? S 0:00 /usr/sbin/httpd
unconfined_u:system_r:httpd_t:s0 12726 ? S 0:00 /usr/sbin/httpd

>> Able to execute the script successfully under apache with context httpd_t:
# sudo -u apache -t httpd_t ./index.py
Content-Type: text/plain;charset=utf-8

Hello World!

>> sebool's have at least httpd_enable_cgi:
# getsebool -a | grep http | grep "--> on"
httpd_builtin_scripting --> on
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_execmem --> on
httpd_tty_comm --> on
httpd_unified --> on

>> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within:
# ls -lZd /var/www/
drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/

# ls -lZd /var/www/*
drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin
drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html

# ls -lZd /var/www/cgi-bin/*
-rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin/index.py
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Permission denied to cgi-script when enforcing selinux on RHEL6

On Tue, 2012-04-10 at 09:59 -0400, Dark Sinclair wrote:
> Greetings all,
>
> I've set up a simple apache webserver with cgi-script executing
> python code on RHEL6. With selinux disabled, the script returns
> output fine to a browser but with selinux enforced I receive a 500
> Internal Server error and permission denied in ssl_error_log with
> nothing logged to audit.log even though don't audit rules is disabled.
> audit2allow -a -l is clean as well. I am able to successfully
> execute the script on the command line under apache's context httpd_t,
> so it's only when returning the content to the browser that the 500
> Internal Server error occurs. Anyone have any idea to help
> troubleshoot?

You should really see AVC denials when you build the policy.db with the
dontaudit rules removed (semodule -DB)

Maybe you've overlooked them?

> Pertinent information below, any help is greatly appreciated.
>
> Thanks in advance,
>
>
> >> ssl_error_log when accessing through the browser:
> [Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
> '/var/www/cgi-bin/index.py' failed
> [Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py
>
>
> >> Apache is running under context httpd_t:
> # /bin/ps axZ | grep http
> unconfined_u:system_r:httpd_t:s0 12716 ? Ss 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12719 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12720 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12721 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12722 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12723 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12724 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12725 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12726 ? S 0:00 /usr/sbin/httpd
>
>
> >> Able to execute the script successfully under apache with context httpd_t:
> # sudo -u apache -t httpd_t ./index.py

That test does not work i believe.

I tried it myself:

[dominick@q9000 ~]$ echo '#!/bin/bash' > test.sh
[dominick@q9000 ~]$ echo "exec id -Z" >> test.sh
[dominick@q9000 ~]$ chmod +x test.sh
[dominick@q9000 ~]$ sudo -u dominick -t httpd_t /home/dominick/test.sh
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

It doesnt actually run in httpd_t some how.

> Content-Type: text/plain;charset=utf-8
>
> Hello World!
>
>
> >> sebool's have at least httpd_enable_cgi:
> # getsebool -a | grep http | grep "--> on"
> httpd_builtin_scripting --> on
> httpd_dbus_avahi --> on
> httpd_enable_cgi --> on
> httpd_execmem --> on
> httpd_tty_comm --> on
> httpd_unified --> on
>
>
> >> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within:
> # ls -lZd /var/www/
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/
>
> # ls -lZd /var/www/*
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html
>
> # ls -lZd /var/www/cgi-bin/*
> -rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin/index.py

shot in the dark: what are the mount options
of /var/www/cgi-bin/index.py location?

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Permission denied to cgi-script when enforcing selinux on RHEL6

Dominick, thanks. nosuid on /var was the culprit. Remounting suid and everything works as normal.

Note: re-running semodule -DB with nosuid mount option results in the server error with no denials in the audit log. Bug?
Sent from my BlackBerry device on the Rogers Wireless Network

-----Original Message-----
From: Dominick Grift <dominick.grift@gmail.com>
Date: Tue, 10 Apr 2012 16:41:45
To: Dark Sinclair<darksinclair@gmail.com>
Cc: <selinux@lists.fedoraproject.org>
Subject: Re: Permission denied to cgi-script when enforcing selinux on RHEL6

On Tue, 2012-04-10 at 09:59 -0400, Dark Sinclair wrote:
> Greetings all,
>
> I've set up a simple apache webserver with cgi-script executing
> python code on RHEL6. With selinux disabled, the script returns
> output fine to a browser but with selinux enforced I receive a 500
> Internal Server error and permission denied in ssl_error_log with
> nothing logged to audit.log even though don't audit rules is disabled.
> audit2allow -a -l is clean as well. I am able to successfully
> execute the script on the command line under apache's context httpd_t,
> so it's only when returning the content to the browser that the 500
> Internal Server error occurs. Anyone have any idea to help
> troubleshoot?

You should really see AVC denials when you build the policy.db with the
dontaudit rules removed (semodule -DB)

Maybe you've overlooked them?

> Pertinent information below, any help is greatly appreciated.
>
> Thanks in advance,
>
>
> >> ssl_error_log when accessing through the browser:
> [Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
> '/var/www/cgi-bin/index.py' failed
> [Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py
>
>
> >> Apache is running under context httpd_t:
> # /bin/ps axZ | grep http
> unconfined_u:system_r:httpd_t:s0 12716 ? Ss 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12719 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12720 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12721 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12722 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12723 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12724 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12725 ? S 0:00 /usr/sbin/httpd
> unconfined_u:system_r:httpd_t:s0 12726 ? S 0:00 /usr/sbin/httpd
>
>
> >> Able to execute the script successfully under apache with context httpd_t:
> # sudo -u apache -t httpd_t ./index.py

That test does not work i believe.

I tried it myself:

[dominick@q9000 ~]$ echo '#!/bin/bash' > test.sh
[dominick@q9000 ~]$ echo "exec id -Z" >> test.sh
[dominick@q9000 ~]$ chmod +x test.sh
[dominick@q9000 ~]$ sudo -u dominick -t httpd_t /home/dominick/test.sh
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

It doesnt actually run in httpd_t some how.

> Content-Type: text/plain;charset=utf-8
>
> Hello World!
>
>
> >> sebool's have at least httpd_enable_cgi:
> # getsebool -a | grep http | grep "--> on"
> httpd_builtin_scripting --> on
> httpd_dbus_avahi --> on
> httpd_enable_cgi --> on
> httpd_execmem --> on
> httpd_tty_comm --> on
> httpd_unified --> on
>
>
> >> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within:
> # ls -lZd /var/www/
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/
>
> # ls -lZd /var/www/*
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin
> drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html
>
> # ls -lZd /var/www/cgi-bin/*
> -rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> /var/www/cgi-bin/index.py

shot in the dark: what are the mount options
of /var/www/cgi-bin/index.py location?

> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Permission denied to cgi-script when enforcing selinux on RHEL6

On Tue, 2012-04-10 at 14:51 +0000, darksinclair@gmail.com wrote:
> Dominick, thanks. nosuid on /var was the culprit. Remounting suid and everything works as normal.
>
> Note: re-running semodule -DB with nosuid mount option results in the server error with no denials in the audit log. Bug?
> Sent from my BlackBerry device on the Rogers Wireless Network

I would expect to see atleast some AVC denials yes (for example
rlimitinh noatsecure etc) Hard to tell for me from a distance.

> -----Original Message-----
> From: Dominick Grift <dominick.grift@gmail.com>
> Date: Tue, 10 Apr 2012 16:41:45
> To: Dark Sinclair<darksinclair@gmail.com>
> Cc: <selinux@lists.fedoraproject.org>
> Subject: Re: Permission denied to cgi-script when enforcing selinux on RHEL6
>
> On Tue, 2012-04-10 at 09:59 -0400, Dark Sinclair wrote:
> > Greetings all,
> >
> > I've set up a simple apache webserver with cgi-script executing
> > python code on RHEL6. With selinux disabled, the script returns
> > output fine to a browser but with selinux enforced I receive a 500
> > Internal Server error and permission denied in ssl_error_log with
> > nothing logged to audit.log even though don't audit rules is disabled.
> > audit2allow -a -l is clean as well. I am able to successfully
> > execute the script on the command line under apache's context httpd_t,
> > so it's only when returning the content to the browser that the 500
> > Internal Server error occurs. Anyone have any idea to help
> > troubleshoot?
>
> You should really see AVC denials when you build the policy.db with the
> dontaudit rules removed (semodule -DB)
>
> Maybe you've overlooked them?
>
> > Pertinent information below, any help is greatly appreciated.
> >
> > Thanks in advance,
> >
> >
> > >> ssl_error_log when accessing through the browser:
> > [Tue Apr 10 09:37:43 2012] [error] (13)Permission denied: exec of
> > '/var/www/cgi-bin/index.py' failed
> > [Tue Apr 10 09:37:43 2012] [error] Premature end of script headers: index.py
> >
> >
> > >> Apache is running under context httpd_t:
> > # /bin/ps axZ | grep http
> > unconfined_u:system_r:httpd_t:s0 12716 ? Ss 0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12719 ? S 0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12720 ? S 0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12721 ? S 0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12722 ? S 0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12723 ? S 0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12724 ? S 0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12725 ? S 0:00 /usr/sbin/httpd
> > unconfined_u:system_r:httpd_t:s0 12726 ? S 0:00 /usr/sbin/httpd
> >
> >
> > >> Able to execute the script successfully under apache with context httpd_t:
> > # sudo -u apache -t httpd_t ./index.py
>
> That test does not work i believe.
>
> I tried it myself:
>
> [dominick@q9000 ~]$ echo '#!/bin/bash' > test.sh
> [dominick@q9000 ~]$ echo "exec id -Z" >> test.sh
> [dominick@q9000 ~]$ chmod +x test.sh
> [dominick@q9000 ~]$ sudo -u dominick -t httpd_t /home/dominick/test.sh
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> It doesnt actually run in httpd_t some how.
>
> > Content-Type: text/plain;charset=utf-8
> >
> > Hello World!
> >
> >
> > >> sebool's have at least httpd_enable_cgi:
> > # getsebool -a | grep http | grep "--> on"
> > httpd_builtin_scripting --> on
> > httpd_dbus_avahi --> on
> > httpd_enable_cgi --> on
> > httpd_execmem --> on
> > httpd_tty_comm --> on
> > httpd_unified --> on
> >
> >
> > >> All contexts, importantly httpd_sys_script_exec_t for cgi-bin and index.py within:
> > # ls -lZd /var/www/
> > drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/
> >
> > # ls -lZd /var/www/*
> > drwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> > /var/www/cgi-bin
> > drwxr-xr-x. root apache system_u:object_r:httpd_sys_content_t:s0 /var/www/html
> >
> > # ls -lZd /var/www/cgi-bin/*
> > -rwxr-xr-x. root apache system_u:object_r:httpd_sys_script_exec_t:s0
> > /var/www/cgi-bin/index.py
>
> shot in the dark: what are the mount options
> of /var/www/cgi-bin/index.py location?
>
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Permission denied to cgi-script when enforcing selinux on RHEL6

>>>>> "DG" == Dominick Grift <dominick.grift@gmail.com> writes:

DG> You should really see AVC denials when you build the policy.db with
DG> the dontaudit rules removed (semodule -DB)
DG> Maybe you've overlooked them?

I know the original question was about EL6 but I had some issues with
CGI-type stuff outside of a specific cgi-bin directory recently on F16,
and I was quite surprised that completely relevant AVCs were hidden
behind dontaudit rules. In fact, I had no AVCs at all for that
situation; stuff just failed to work without any indication of why.
semodule -DB made it completely obvious, once you picked out the AVCs
that caused the problem from whatever random other stuff was expected to
happen.

Is there any reasonable explanation for why these AVCs are not shown by
default?

- J<
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Permission denied to cgi-script when enforcing selinux on RHEL6

On Tue, 2012-04-10 at 09:55 -0500, Jason L Tibbitts III wrote:
> >>>>> "DG" == Dominick Grift <dominick.grift@gmail.com> writes:
>
> DG> You should really see AVC denials when you build the policy.db with
> DG> the dontaudit rules removed (semodule -DB)
> DG> Maybe you've overlooked them?
>
> I know the original question was about EL6 but I had some issues with
> CGI-type stuff outside of a specific cgi-bin directory recently on F16,
> and I was quite surprised that completely relevant AVCs were hidden
> behind dontaudit rules. In fact, I had no AVCs at all for that
> situation; stuff just failed to work without any indication of why.
> semodule -DB made it completely obvious, once you picked out the AVCs
> that caused the problem from whatever random other stuff was expected to
> happen.
>
> Is there any reasonable explanation for why these AVCs are not shown by
> default?

There should be but i cant think of any.

I have encountered similar issues with daemons trying to traverse $USER
being dontaudited; i dont like it either.

> - J<

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Permission denied to cgi-script when enforcing selinux on RHEL6

On 04/10/2012 11:00 AM, Dominick Grift wrote:
> On Tue, 2012-04-10 at 09:55 -0500, Jason L Tibbitts III wrote:
>>>>>>> "DG" == Dominick Grift <dominick.grift@gmail.com> writes:
>>
>> DG> You should really see AVC denials when you build the policy.db with
>> DG> the dontaudit rules removed (semodule -DB) DG> Maybe you've
>> overlooked them?
>>
>> I know the original question was about EL6 but I had some issues with
>> CGI-type stuff outside of a specific cgi-bin directory recently on F16,
>> and I was quite surprised that completely relevant AVCs were hidden
>> behind dontaudit rules. In fact, I had no AVCs at all for that
>> situation; stuff just failed to work without any indication of why.
>> semodule -DB made it completely obvious, once you picked out the AVCs
>> that caused the problem from whatever random other stuff was expected to
>> happen.
>>
>> Is there any reasonable explanation for why these AVCs are not shown by
>> default?
>
> There should be but i cant think of any.
>
> I have encountered similar issues with daemons trying to traverse $USER
> being dontaudited; i dont like it either.
>
>> - J<
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

The problem here was that users executing service BLAH restart were generating
lots of AVC's if they were sitting in their $HOME directory. Since the
default for apps was to look at the current working directory, so we would get
an AVC like

named_t tried to getattr on user_home_dir_t. The best way to stop this flood
was to say

dontaudit initdaemons user_home_dir_t:dir search_dir_perms;

Now that we have moved to systemd, this is not as big a problem and we can
remove the dontaudit rule.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux