* RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
@ 2017-05-22 16:29 Chris O'Neil
2017-05-22 16:58 ` Dominick Grift
2017-05-22 18:18 ` Stephen Smalley
0 siblings, 2 replies; 13+ messages in thread
From: Chris O'Neil @ 2017-05-22 16:29 UTC (permalink / raw)
To: selinux
Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
to Apache httpd that I just can't figure out. I have always been able
to tune policy or alter a boolean, this one has me stumped!
What I am trying to do: I am trying to deploy a simple, 3 line CGI
script in /var/www/cgi-bin/. Runs fine with enforcement disabled (see
output below). My custom policy for Apache (see below) comes from my
EL6 environment.
The normal setroubleshooting tools don't help, as there is only a single
line in audit.log (of type=SELINUX_ERR)
This is not happening on latest RHEL 6.9 ...
Might be related to systemd? I don't see any "NoNewPrivileges"
directives inside /etc/systemd/ though ... weird!
Many thanks for your help!
-chris
########################################################################
# With enforcement disabled ... all is good (as expected)
########################################################################
# ls -laZ /var/www/cgi-bin/
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
# setenforce 0
# systemctl restart httpd.service
$ curl localhost/cgi-bin/ok.cgi
OK
########################################################################
# With enforcement enabled ... CGI script fails, all you find is a
# single deny in /var/log/audit/audit.log
########################################################################
# setenforce 1
# systemctl restart httpd.service
# getenforce
Enforcing
$ curl localhost/cgi-bin/ok.cgi
<html><head><title>500 Server Error</title></head><body><h1>Server
Error</h1></body></html>
# tail /var/log/audit/audit.log | grep denied
type=SELINUX_ERR msg=audit(1495468154.591:121695):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0
########################################################################
# System details ...
########################################################################
# uname -r
3.10.0-514.16.1.el7.x86_64
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
# find /etc/ -type f | xargs grep NoNewPrivileges
[NO OUTPUT]
# getsebool -a | grep httpd_
httpd_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> on
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> on
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
# THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
# cat myapache.te
module myapache 0.4;
require {
type httpd_t;
type httpd_sys_script_t;
type http_port_t;
type mysqld_port_t;
type rpm_var_cache_t;
type kernel_t;
class process { setpgid transition };
class system module_request;
class tcp_socket name_connect;
class dir { read search open getattr };
class file { open read getattr };
}
allow httpd_t rpm_var_cache_t:dir { read search open getattr };
allow httpd_t rpm_var_cache_t:file { read getattr open } ;
allow httpd_t mysqld_port_t:tcp_socket name_connect;
allow httpd_sys_script_t self:process setpgid;
allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
allow httpd_sys_script_t kernel_t:system module_request;
#type=SELINUX_ERR msg=audit(1495467001.822:84934):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0
# THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
allow httpd_t httpd_sys_script_t:process transition;
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 16:29 RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied Chris O'Neil
@ 2017-05-22 16:58 ` Dominick Grift
2017-05-22 17:16 ` Chris O'Neil
2017-05-22 18:18 ` Stephen Smalley
1 sibling, 1 reply; 13+ messages in thread
From: Dominick Grift @ 2017-05-22 16:58 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 5872 bytes --]
On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
> to Apache httpd that I just can't figure out. I have always been able
> to tune policy or alter a boolean, this one has me stumped!
>
> What I am trying to do: I am trying to deploy a simple, 3 line CGI
> script in /var/www/cgi-bin/. Runs fine with enforcement disabled (see
> output below). My custom policy for Apache (see below) comes from my
> EL6 environment.
>
> The normal setroubleshooting tools don't help, as there is only a single
> line in audit.log (of type=SELINUX_ERR)
>
> This is not happening on latest RHEL 6.9 ...
>
> Might be related to systemd? I don't see any "NoNewPrivileges"
> directives inside /etc/systemd/ though ... weird!
try grepping /usr/lib/systemd as well
also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK
>
> Many thanks for your help!
> -chris
>
>
> ########################################################################
> # With enforcement disabled ... all is good (as expected)
> ########################################################################
>
> # ls -laZ /var/www/cgi-bin/
> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
>
> # setenforce 0
> # systemctl restart httpd.service
> $ curl localhost/cgi-bin/ok.cgi
> OK
>
>
> ########################################################################
> # With enforcement enabled ... CGI script fails, all you find is a
> # single deny in /var/log/audit/audit.log
> ########################################################################
>
> # setenforce 1
> # systemctl restart httpd.service
>
> # getenforce
> Enforcing
>
> $ curl localhost/cgi-bin/ok.cgi
> <html><head><title>500 Server Error</title></head><body><h1>Server
> Error</h1></body></html>
>
> # tail /var/log/audit/audit.log | grep denied
> type=SELINUX_ERR msg=audit(1495468154.591:121695):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
>
>
> ########################################################################
> # System details ...
> ########################################################################
>
> # uname -r
> 3.10.0-514.16.1.el7.x86_64
>
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.3 (Maipo)
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 28
>
> # find /etc/ -type f | xargs grep NoNewPrivileges
> [NO OUTPUT]
>
> # getsebool -a | grep httpd_
> httpd_anon_write --> on
> httpd_builtin_scripting --> on
> httpd_can_check_spam --> off
> httpd_can_connect_ftp --> off
> httpd_can_connect_ldap --> off
> httpd_can_connect_mythtv --> off
> httpd_can_connect_zabbix --> off
> httpd_can_network_connect --> on
> httpd_can_network_connect_cobbler --> off
> httpd_can_network_connect_db --> on
> httpd_can_network_memcache --> off
> httpd_can_network_relay --> off
> httpd_can_sendmail --> on
> httpd_dbus_avahi --> on
> httpd_dbus_sssd --> off
> httpd_dontaudit_search_dirs --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> off
> httpd_execmem --> off
> httpd_graceful_shutdown --> on
> httpd_manage_ipa --> off
> httpd_mod_auth_ntlm_winbind --> off
> httpd_mod_auth_pam --> off
> httpd_read_user_content --> on
> httpd_run_ipa --> off
> httpd_run_preupgrade --> off
> httpd_run_stickshift --> off
> httpd_serve_cobbler_files --> off
> httpd_setrlimit --> off
> httpd_ssi_exec --> off
> httpd_sys_script_anon_write --> off
> httpd_tmp_exec --> off
> httpd_tty_comm --> on
> httpd_unified --> on
> httpd_use_cifs --> off
> httpd_use_fusefs --> off
> httpd_use_gpg --> off
> httpd_use_nfs --> off
> httpd_use_openstack --> off
> httpd_use_sasl --> off
> httpd_verify_dns --> off
>
>
> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
>
> # cat myapache.te
> module myapache 0.4;
>
> require {
> type httpd_t;
> type httpd_sys_script_t;
> type http_port_t;
> type mysqld_port_t;
> type rpm_var_cache_t;
> type kernel_t;
> class process { setpgid transition };
> class system module_request;
> class tcp_socket name_connect;
> class dir { read search open getattr };
> class file { open read getattr };
> }
>
> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t self:process setpgid;
> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t kernel_t:system module_request;
>
> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> allow httpd_t httpd_sys_script_t:process transition;
>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 16:58 ` Dominick Grift
@ 2017-05-22 17:16 ` Chris O'Neil
2017-05-22 17:35 ` Dominick Grift
0 siblings, 1 reply; 13+ messages in thread
From: Chris O'Neil @ 2017-05-22 17:16 UTC (permalink / raw)
To: selinux
On 05/22/2017 09:58 AM, Dominick Grift wrote:
> On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
>> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
>> to Apache httpd that I just can't figure out. I have always been able
>> to tune policy or alter a boolean, this one has me stumped!
>>
>> What I am trying to do: I am trying to deploy a simple, 3 line CGI
>> script in /var/www/cgi-bin/. Runs fine with enforcement disabled (see
>> output below). My custom policy for Apache (see below) comes from my
>> EL6 environment.
>>
>> The normal setroubleshooting tools don't help, as there is only a single
>> line in audit.log (of type=SELINUX_ERR)
>>
>> This is not happening on latest RHEL 6.9 ...
>>
>> Might be related to systemd? I don't see any "NoNewPrivileges"
>> directives inside /etc/systemd/ though ... weird!
>
> try grepping /usr/lib/systemd as well
> also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK
Dominick, I did find the "NoNewPrivileges" directive inside of
/usr/lib/systemd/system/systemd-importd.service ... commented it out,
rebooted just to be safe ... no luck ... same problem as before, same
message in /var/log/audit/audit.log. Also tried changing the value from
"Yes" to "No" and rebooting, that didn't help.
$ curl localhost/cgi-bin/ok.cgi
<html><head><title>500 Server Error</title></head><body><h1>Server
Error</h1></body></html>
# tail /var/log/audit/audit.log | grep denied
type=SELINUX_ERR msg=audit(1495473331.188:183):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0
Confirmed I do not have "mod_selinux" enabled ... this is a pretty
vanilla deployment of RHEL 7 and Apache httpd
Thanks!
-chris
>
>>
>> Many thanks for your help!
>> -chris
>>
>>
>> ########################################################################
>> # With enforcement disabled ... all is good (as expected)
>> ########################################################################
>>
>> # ls -laZ /var/www/cgi-bin/
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
>> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
>>
>> # setenforce 0
>> # systemctl restart httpd.service
>> $ curl localhost/cgi-bin/ok.cgi
>> OK
>>
>>
>> ########################################################################
>> # With enforcement enabled ... CGI script fails, all you find is a
>> # single deny in /var/log/audit/audit.log
>> ########################################################################
>>
>> # setenforce 1
>> # systemctl restart httpd.service
>>
>> # getenforce
>> Enforcing
>>
>> $ curl localhost/cgi-bin/ok.cgi
>> <html><head><title>500 Server Error</title></head><body><h1>Server
>> Error</h1></body></html>
>>
>> # tail /var/log/audit/audit.log | grep denied
>> type=SELINUX_ERR msg=audit(1495468154.591:121695):
>> op=security_bounded_transition seresult=denied
>> oldcontext=system_u:system_r:httpd_t:s0
>> newcontext=system_u:system_r:httpd_sys_script_t:s0
>>
>>
>> ########################################################################
>> # System details ...
>> ########################################################################
>>
>> # uname -r
>> 3.10.0-514.16.1.el7.x86_64
>>
>> # cat /etc/redhat-release
>> Red Hat Enterprise Linux Server release 7.3 (Maipo)
>>
>> # sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /sys/fs/selinux
>> SELinux root directory: /etc/selinux
>> Loaded policy name: targeted
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy MLS status: enabled
>> Policy deny_unknown status: allowed
>> Max kernel policy version: 28
>>
>> # find /etc/ -type f | xargs grep NoNewPrivileges
>> [NO OUTPUT]
>>
>> # getsebool -a | grep httpd_
>> httpd_anon_write --> on
>> httpd_builtin_scripting --> on
>> httpd_can_check_spam --> off
>> httpd_can_connect_ftp --> off
>> httpd_can_connect_ldap --> off
>> httpd_can_connect_mythtv --> off
>> httpd_can_connect_zabbix --> off
>> httpd_can_network_connect --> on
>> httpd_can_network_connect_cobbler --> off
>> httpd_can_network_connect_db --> on
>> httpd_can_network_memcache --> off
>> httpd_can_network_relay --> off
>> httpd_can_sendmail --> on
>> httpd_dbus_avahi --> on
>> httpd_dbus_sssd --> off
>> httpd_dontaudit_search_dirs --> off
>> httpd_enable_cgi --> on
>> httpd_enable_ftp_server --> off
>> httpd_enable_homedirs --> off
>> httpd_execmem --> off
>> httpd_graceful_shutdown --> on
>> httpd_manage_ipa --> off
>> httpd_mod_auth_ntlm_winbind --> off
>> httpd_mod_auth_pam --> off
>> httpd_read_user_content --> on
>> httpd_run_ipa --> off
>> httpd_run_preupgrade --> off
>> httpd_run_stickshift --> off
>> httpd_serve_cobbler_files --> off
>> httpd_setrlimit --> off
>> httpd_ssi_exec --> off
>> httpd_sys_script_anon_write --> off
>> httpd_tmp_exec --> off
>> httpd_tty_comm --> on
>> httpd_unified --> on
>> httpd_use_cifs --> off
>> httpd_use_fusefs --> off
>> httpd_use_gpg --> off
>> httpd_use_nfs --> off
>> httpd_use_openstack --> off
>> httpd_use_sasl --> off
>> httpd_verify_dns --> off
>>
>>
>> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
>>
>> # cat myapache.te
>> module myapache 0.4;
>>
>> require {
>> type httpd_t;
>> type httpd_sys_script_t;
>> type http_port_t;
>> type mysqld_port_t;
>> type rpm_var_cache_t;
>> type kernel_t;
>> class process { setpgid transition };
>> class system module_request;
>> class tcp_socket name_connect;
>> class dir { read search open getattr };
>> class file { open read getattr };
>> }
>>
>> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
>> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
>> allow httpd_t mysqld_port_t:tcp_socket name_connect;
>> allow httpd_sys_script_t self:process setpgid;
>> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
>> allow httpd_sys_script_t kernel_t:system module_request;
>>
>> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
>> op=security_bounded_transition seresult=denied
>> oldcontext=system_u:system_r:httpd_t:s0
>> newcontext=system_u:system_r:httpd_sys_script_t:s0
>> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
>> allow httpd_t httpd_sys_script_t:process transition;
>>
>>
>>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 17:16 ` Chris O'Neil
@ 2017-05-22 17:35 ` Dominick Grift
0 siblings, 0 replies; 13+ messages in thread
From: Dominick Grift @ 2017-05-22 17:35 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 7593 bytes --]
On Mon, May 22, 2017 at 10:16:55AM -0700, Chris O'Neil wrote:
>
>
> On 05/22/2017 09:58 AM, Dominick Grift wrote:
> > On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
> >> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
> >> to Apache httpd that I just can't figure out. I have always been able
> >> to tune policy or alter a boolean, this one has me stumped!
> >>
> >> What I am trying to do: I am trying to deploy a simple, 3 line CGI
> >> script in /var/www/cgi-bin/. Runs fine with enforcement disabled (see
> >> output below). My custom policy for Apache (see below) comes from my
> >> EL6 environment.
> >>
> >> The normal setroubleshooting tools don't help, as there is only a single
> >> line in audit.log (of type=SELINUX_ERR)
> >>
> >> This is not happening on latest RHEL 6.9 ...
> >>
> >> Might be related to systemd? I don't see any "NoNewPrivileges"
> >> directives inside /etc/systemd/ though ... weird!
>
> >
> > try grepping /usr/lib/systemd as well
> > also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK
>
> Dominick, I did find the "NoNewPrivileges" directive inside of
> /usr/lib/systemd/system/systemd-importd.service ... commented it out,
> rebooted just to be safe ... no luck ... same problem as before, same
> message in /var/log/audit/audit.log. Also tried changing the value from
> "Yes" to "No" and rebooting, that didn't help.
Yes that only applies to systemd-importd (which i suppose no one uses at least not with selinux enabled)
>
> $ curl localhost/cgi-bin/ok.cgi
> <html><head><title>500 Server Error</title></head><body><h1>Server
> Error</h1></body></html>
>
> # tail /var/log/audit/audit.log | grep denied
> type=SELINUX_ERR msg=audit(1495473331.188:183):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
>
> Confirmed I do not have "mod_selinux" enabled ... this is a pretty
> vanilla deployment of RHEL 7 and Apache httpd
Are you using any other "exotic"/non-default apache modules? (i suppose not since you already said its pretty vanilla)
>
> Thanks!
> -chris
>
> >
> >>
> >> Many thanks for your help!
> >> -chris
> >>
> >>
> >> ########################################################################
> >> # With enforcement disabled ... all is good (as expected)
> >> ########################################################################
> >>
> >> # ls -laZ /var/www/cgi-bin/
> >> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> >> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> >> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
> >>
> >> # setenforce 0
> >> # systemctl restart httpd.service
> >> $ curl localhost/cgi-bin/ok.cgi
> >> OK
> >>
> >>
> >> ########################################################################
> >> # With enforcement enabled ... CGI script fails, all you find is a
> >> # single deny in /var/log/audit/audit.log
> >> ########################################################################
> >>
> >> # setenforce 1
> >> # systemctl restart httpd.service
> >>
> >> # getenforce
> >> Enforcing
> >>
> >> $ curl localhost/cgi-bin/ok.cgi
> >> <html><head><title>500 Server Error</title></head><body><h1>Server
> >> Error</h1></body></html>
> >>
> >> # tail /var/log/audit/audit.log | grep denied
> >> type=SELINUX_ERR msg=audit(1495468154.591:121695):
> >> op=security_bounded_transition seresult=denied
> >> oldcontext=system_u:system_r:httpd_t:s0
> >> newcontext=system_u:system_r:httpd_sys_script_t:s0
> >>
> >>
> >> ########################################################################
> >> # System details ...
> >> ########################################################################
> >>
> >> # uname -r
> >> 3.10.0-514.16.1.el7.x86_64
> >>
> >> # cat /etc/redhat-release
> >> Red Hat Enterprise Linux Server release 7.3 (Maipo)
> >>
> >> # sestatus
> >> SELinux status: enabled
> >> SELinuxfs mount: /sys/fs/selinux
> >> SELinux root directory: /etc/selinux
> >> Loaded policy name: targeted
> >> Current mode: enforcing
> >> Mode from config file: enforcing
> >> Policy MLS status: enabled
> >> Policy deny_unknown status: allowed
> >> Max kernel policy version: 28
> >>
> >> # find /etc/ -type f | xargs grep NoNewPrivileges
> >> [NO OUTPUT]
> >>
> >> # getsebool -a | grep httpd_
> >> httpd_anon_write --> on
> >> httpd_builtin_scripting --> on
> >> httpd_can_check_spam --> off
> >> httpd_can_connect_ftp --> off
> >> httpd_can_connect_ldap --> off
> >> httpd_can_connect_mythtv --> off
> >> httpd_can_connect_zabbix --> off
> >> httpd_can_network_connect --> on
> >> httpd_can_network_connect_cobbler --> off
> >> httpd_can_network_connect_db --> on
> >> httpd_can_network_memcache --> off
> >> httpd_can_network_relay --> off
> >> httpd_can_sendmail --> on
> >> httpd_dbus_avahi --> on
> >> httpd_dbus_sssd --> off
> >> httpd_dontaudit_search_dirs --> off
> >> httpd_enable_cgi --> on
> >> httpd_enable_ftp_server --> off
> >> httpd_enable_homedirs --> off
> >> httpd_execmem --> off
> >> httpd_graceful_shutdown --> on
> >> httpd_manage_ipa --> off
> >> httpd_mod_auth_ntlm_winbind --> off
> >> httpd_mod_auth_pam --> off
> >> httpd_read_user_content --> on
> >> httpd_run_ipa --> off
> >> httpd_run_preupgrade --> off
> >> httpd_run_stickshift --> off
> >> httpd_serve_cobbler_files --> off
> >> httpd_setrlimit --> off
> >> httpd_ssi_exec --> off
> >> httpd_sys_script_anon_write --> off
> >> httpd_tmp_exec --> off
> >> httpd_tty_comm --> on
> >> httpd_unified --> on
> >> httpd_use_cifs --> off
> >> httpd_use_fusefs --> off
> >> httpd_use_gpg --> off
> >> httpd_use_nfs --> off
> >> httpd_use_openstack --> off
> >> httpd_use_sasl --> off
> >> httpd_verify_dns --> off
> >>
> >>
> >> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> >>
> >> # cat myapache.te
> >> module myapache 0.4;
> >>
> >> require {
> >> type httpd_t;
> >> type httpd_sys_script_t;
> >> type http_port_t;
> >> type mysqld_port_t;
> >> type rpm_var_cache_t;
> >> type kernel_t;
> >> class process { setpgid transition };
> >> class system module_request;
> >> class tcp_socket name_connect;
> >> class dir { read search open getattr };
> >> class file { open read getattr };
> >> }
> >>
> >> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> >> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> >> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> >> allow httpd_sys_script_t self:process setpgid;
> >> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> >> allow httpd_sys_script_t kernel_t:system module_request;
> >>
> >> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> >> op=security_bounded_transition seresult=denied
> >> oldcontext=system_u:system_r:httpd_t:s0
> >> newcontext=system_u:system_r:httpd_sys_script_t:s0
> >> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> >> allow httpd_t httpd_sys_script_t:process transition;
> >>
> >>
> >>
> >
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 16:29 RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied Chris O'Neil
2017-05-22 16:58 ` Dominick Grift
@ 2017-05-22 18:18 ` Stephen Smalley
2017-05-22 18:23 ` Dominick Grift
1 sibling, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2017-05-22 18:18 UTC (permalink / raw)
To: Chris O'Neil, selinux
On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> related
> to Apache httpd that I just can't figure out. I have always been
> able
> to tune policy or alter a boolean, this one has me stumped!
>
> What I am trying to do: I am trying to deploy a simple, 3 line CGI
> script in /var/www/cgi-bin/. Runs fine with enforcement disabled
> (see
> output below). My custom policy for Apache (see below) comes from my
> EL6 environment.
>
> The normal setroubleshooting tools don't help, as there is only a
> single
> line in audit.log (of type=SELINUX_ERR)
>
> This is not happening on latest RHEL 6.9 ...
>
> Might be related to systemd? I don't see any "NoNewPrivileges"
> directives inside /etc/systemd/ though ... weird!
Is the filesystem mounted nosuid?
>
> Many thanks for your help!
> -chris
>
>
> #####################################################################
> ###
> # With enforcement disabled ... all is good (as expected)
> #####################################################################
> ###
>
> # ls -laZ /var/www/cgi-bin/
> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> ok.cgi
>
> # setenforce 0
> # systemctl restart httpd.service
> $ curl localhost/cgi-bin/ok.cgi
> OK
>
>
> #####################################################################
> ###
> # With enforcement enabled ... CGI script fails, all you find is a
> # single deny in /var/log/audit/audit.log
> #####################################################################
> ###
>
> # setenforce 1
> # systemctl restart httpd.service
>
> # getenforce
> Enforcing
>
> $ curl localhost/cgi-bin/ok.cgi
> <html><head><title>500 Server Error</title></head><body><h1>Server
> Error</h1></body></html>
>
> # tail /var/log/audit/audit.log | grep denied
> type=SELINUX_ERR msg=audit(1495468154.591:121695):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
>
>
> #####################################################################
> ###
> # System details ...
> #####################################################################
> ###
>
> # uname -r
> 3.10.0-514.16.1.el7.x86_64
>
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.3 (Maipo)
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Max kernel policy version: 28
>
> # find /etc/ -type f | xargs grep NoNewPrivileges
> [NO OUTPUT]
>
> # getsebool -a | grep httpd_
> httpd_anon_write --> on
> httpd_builtin_scripting --> on
> httpd_can_check_spam --> off
> httpd_can_connect_ftp --> off
> httpd_can_connect_ldap --> off
> httpd_can_connect_mythtv --> off
> httpd_can_connect_zabbix --> off
> httpd_can_network_connect --> on
> httpd_can_network_connect_cobbler --> off
> httpd_can_network_connect_db --> on
> httpd_can_network_memcache --> off
> httpd_can_network_relay --> off
> httpd_can_sendmail --> on
> httpd_dbus_avahi --> on
> httpd_dbus_sssd --> off
> httpd_dontaudit_search_dirs --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> off
> httpd_execmem --> off
> httpd_graceful_shutdown --> on
> httpd_manage_ipa --> off
> httpd_mod_auth_ntlm_winbind --> off
> httpd_mod_auth_pam --> off
> httpd_read_user_content --> on
> httpd_run_ipa --> off
> httpd_run_preupgrade --> off
> httpd_run_stickshift --> off
> httpd_serve_cobbler_files --> off
> httpd_setrlimit --> off
> httpd_ssi_exec --> off
> httpd_sys_script_anon_write --> off
> httpd_tmp_exec --> off
> httpd_tty_comm --> on
> httpd_unified --> on
> httpd_use_cifs --> off
> httpd_use_fusefs --> off
> httpd_use_gpg --> off
> httpd_use_nfs --> off
> httpd_use_openstack --> off
> httpd_use_sasl --> off
> httpd_verify_dns --> off
>
>
> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
>
> # cat myapache.te
> module myapache 0.4;
>
> require {
> type httpd_t;
> type httpd_sys_script_t;
> type http_port_t;
> type mysqld_port_t;
> type rpm_var_cache_t;
> type kernel_t;
> class process { setpgid transition };
> class system module_request;
> class tcp_socket name_connect;
> class dir { read search open getattr };
> class file { open read getattr };
> }
>
> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t self:process setpgid;
> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t kernel_t:system module_request;
>
> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> allow httpd_t httpd_sys_script_t:process transition;
>
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 18:18 ` Stephen Smalley
@ 2017-05-22 18:23 ` Dominick Grift
2017-05-22 18:29 ` Dominick Grift
` (2 more replies)
0 siblings, 3 replies; 13+ messages in thread
From: Dominick Grift @ 2017-05-22 18:23 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 6451 bytes --]
On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > related
> > to Apache httpd that I just can't figure out. I have always been
> > able
> > to tune policy or alter a boolean, this one has me stumped!
> >
> > What I am trying to do: I am trying to deploy a simple, 3 line CGI
> > script in /var/www/cgi-bin/. Runs fine with enforcement disabled
> > (see
> > output below). My custom policy for Apache (see below) comes from my
> > EL6 environment.
> >
> > The normal setroubleshooting tools don't help, as there is only a
> > single
> > line in audit.log (of type=SELINUX_ERR)
> >
> > This is not happening on latest RHEL 6.9 ...
> >
> > Might be related to systemd? I don't see any "NoNewPrivileges"
> > directives inside /etc/systemd/ though ... weird!
>
> Is the filesystem mounted nosuid?
If selinux also uses that message for that scenario then i find that confusing since the message, to me, implies that the issue can be find by adding a type bounds, but i don't think that would work for nosuid mounted slices
>
> >
> > Many thanks for your help!
> > -chris
> >
> >
> > #####################################################################
> > ###
> > # With enforcement disabled ... all is good (as expected)
> > #####################################################################
> > ###
> >
> > # ls -laZ /var/www/cgi-bin/
> > drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> > ok.cgi
> >
> > # setenforce 0
> > # systemctl restart httpd.service
> > $ curl localhost/cgi-bin/ok.cgi
> > OK
> >
> >
> > #####################################################################
> > ###
> > # With enforcement enabled ... CGI script fails, all you find is a
> > # single deny in /var/log/audit/audit.log
> > #####################################################################
> > ###
> >
> > # setenforce 1
> > # systemctl restart httpd.service
> >
> > # getenforce
> > Enforcing
> >
> > $ curl localhost/cgi-bin/ok.cgi
> > <html><head><title>500 Server Error</title></head><body><h1>Server
> > Error</h1></body></html>
> >
> > # tail /var/log/audit/audit.log | grep denied
> > type=SELINUX_ERR msg=audit(1495468154.591:121695):
> > op=security_bounded_transition seresult=denied
> > oldcontext=system_u:system_r:httpd_t:s0
> > newcontext=system_u:system_r:httpd_sys_script_t:s0
> >
> >
> > #####################################################################
> > ###
> > # System details ...
> > #####################################################################
> > ###
> >
> > # uname -r
> > 3.10.0-514.16.1.el7.x86_64
> >
> > # cat /etc/redhat-release
> > Red Hat Enterprise Linux Server release 7.3 (Maipo)
> >
> > # sestatus
> > SELinux status: enabled
> > SELinuxfs mount: /sys/fs/selinux
> > SELinux root directory: /etc/selinux
> > Loaded policy name: targeted
> > Current mode: enforcing
> > Mode from config file: enforcing
> > Policy MLS status: enabled
> > Policy deny_unknown status: allowed
> > Max kernel policy version: 28
> >
> > # find /etc/ -type f | xargs grep NoNewPrivileges
> > [NO OUTPUT]
> >
> > # getsebool -a | grep httpd_
> > httpd_anon_write --> on
> > httpd_builtin_scripting --> on
> > httpd_can_check_spam --> off
> > httpd_can_connect_ftp --> off
> > httpd_can_connect_ldap --> off
> > httpd_can_connect_mythtv --> off
> > httpd_can_connect_zabbix --> off
> > httpd_can_network_connect --> on
> > httpd_can_network_connect_cobbler --> off
> > httpd_can_network_connect_db --> on
> > httpd_can_network_memcache --> off
> > httpd_can_network_relay --> off
> > httpd_can_sendmail --> on
> > httpd_dbus_avahi --> on
> > httpd_dbus_sssd --> off
> > httpd_dontaudit_search_dirs --> off
> > httpd_enable_cgi --> on
> > httpd_enable_ftp_server --> off
> > httpd_enable_homedirs --> off
> > httpd_execmem --> off
> > httpd_graceful_shutdown --> on
> > httpd_manage_ipa --> off
> > httpd_mod_auth_ntlm_winbind --> off
> > httpd_mod_auth_pam --> off
> > httpd_read_user_content --> on
> > httpd_run_ipa --> off
> > httpd_run_preupgrade --> off
> > httpd_run_stickshift --> off
> > httpd_serve_cobbler_files --> off
> > httpd_setrlimit --> off
> > httpd_ssi_exec --> off
> > httpd_sys_script_anon_write --> off
> > httpd_tmp_exec --> off
> > httpd_tty_comm --> on
> > httpd_unified --> on
> > httpd_use_cifs --> off
> > httpd_use_fusefs --> off
> > httpd_use_gpg --> off
> > httpd_use_nfs --> off
> > httpd_use_openstack --> off
> > httpd_use_sasl --> off
> > httpd_verify_dns --> off
> >
> >
> > # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> >
> > # cat myapache.te
> > module myapache 0.4;
> >
> > require {
> > type httpd_t;
> > type httpd_sys_script_t;
> > type http_port_t;
> > type mysqld_port_t;
> > type rpm_var_cache_t;
> > type kernel_t;
> > class process { setpgid transition };
> > class system module_request;
> > class tcp_socket name_connect;
> > class dir { read search open getattr };
> > class file { open read getattr };
> > }
> >
> > allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> > allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> > allow httpd_t mysqld_port_t:tcp_socket name_connect;
> > allow httpd_sys_script_t self:process setpgid;
> > allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> > allow httpd_sys_script_t kernel_t:system module_request;
> >
> > #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> > op=security_bounded_transition seresult=denied
> > oldcontext=system_u:system_r:httpd_t:s0
> > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> > allow httpd_t httpd_sys_script_t:process transition;
> >
> >
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 18:23 ` Dominick Grift
@ 2017-05-22 18:29 ` Dominick Grift
2017-05-22 18:32 ` Chris O'Neil
2017-05-22 18:33 ` Stephen Smalley
2 siblings, 0 replies; 13+ messages in thread
From: Dominick Grift @ 2017-05-22 18:29 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 7071 bytes --]
On Mon, May 22, 2017 at 08:23:50PM +0200, Dominick Grift wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > > related
> > > to Apache httpd that I just can't figure out. I have always been
> > > able
> > > to tune policy or alter a boolean, this one has me stumped!
> > >
> > > What I am trying to do: I am trying to deploy a simple, 3 line CGI
> > > script in /var/www/cgi-bin/. Runs fine with enforcement disabled
> > > (see
> > > output below). My custom policy for Apache (see below) comes from my
> > > EL6 environment.
> > >
> > > The normal setroubleshooting tools don't help, as there is only a
> > > single
> > > line in audit.log (of type=SELINUX_ERR)
> > >
> > > This is not happening on latest RHEL 6.9 ...
> > >
> > > Might be related to systemd? I don't see any "NoNewPrivileges"
> > > directives inside /etc/systemd/ though ... weird!
> >
> > Is the filesystem mounted nosuid?
>
> If selinux also uses that message for that scenario then i find that confusing since the message, to me, implies that the issue can be find by adding a type bounds, but i don't think that would work for nosuid mounted slices
s/find/fixed
> >
> > >
> > > Many thanks for your help!
> > > -chris
> > >
> > >
> > > #####################################################################
> > > ###
> > > # With enforcement disabled ... all is good (as expected)
> > > #####################################################################
> > > ###
> > >
> > > # ls -laZ /var/www/cgi-bin/
> > > drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> > > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> > > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> > > ok.cgi
> > >
> > > # setenforce 0
> > > # systemctl restart httpd.service
> > > $ curl localhost/cgi-bin/ok.cgi
> > > OK
> > >
> > >
> > > #####################################################################
> > > ###
> > > # With enforcement enabled ... CGI script fails, all you find is a
> > > # single deny in /var/log/audit/audit.log
> > > #####################################################################
> > > ###
> > >
> > > # setenforce 1
> > > # systemctl restart httpd.service
> > >
> > > # getenforce
> > > Enforcing
> > >
> > > $ curl localhost/cgi-bin/ok.cgi
> > > <html><head><title>500 Server Error</title></head><body><h1>Server
> > > Error</h1></body></html>
> > >
> > > # tail /var/log/audit/audit.log | grep denied
> > > type=SELINUX_ERR msg=audit(1495468154.591:121695):
> > > op=security_bounded_transition seresult=denied
> > > oldcontext=system_u:system_r:httpd_t:s0
> > > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > >
> > >
> > > #####################################################################
> > > ###
> > > # System details ...
> > > #####################################################################
> > > ###
> > >
> > > # uname -r
> > > 3.10.0-514.16.1.el7.x86_64
> > >
> > > # cat /etc/redhat-release
> > > Red Hat Enterprise Linux Server release 7.3 (Maipo)
> > >
> > > # sestatus
> > > SELinux status: enabled
> > > SELinuxfs mount: /sys/fs/selinux
> > > SELinux root directory: /etc/selinux
> > > Loaded policy name: targeted
> > > Current mode: enforcing
> > > Mode from config file: enforcing
> > > Policy MLS status: enabled
> > > Policy deny_unknown status: allowed
> > > Max kernel policy version: 28
> > >
> > > # find /etc/ -type f | xargs grep NoNewPrivileges
> > > [NO OUTPUT]
> > >
> > > # getsebool -a | grep httpd_
> > > httpd_anon_write --> on
> > > httpd_builtin_scripting --> on
> > > httpd_can_check_spam --> off
> > > httpd_can_connect_ftp --> off
> > > httpd_can_connect_ldap --> off
> > > httpd_can_connect_mythtv --> off
> > > httpd_can_connect_zabbix --> off
> > > httpd_can_network_connect --> on
> > > httpd_can_network_connect_cobbler --> off
> > > httpd_can_network_connect_db --> on
> > > httpd_can_network_memcache --> off
> > > httpd_can_network_relay --> off
> > > httpd_can_sendmail --> on
> > > httpd_dbus_avahi --> on
> > > httpd_dbus_sssd --> off
> > > httpd_dontaudit_search_dirs --> off
> > > httpd_enable_cgi --> on
> > > httpd_enable_ftp_server --> off
> > > httpd_enable_homedirs --> off
> > > httpd_execmem --> off
> > > httpd_graceful_shutdown --> on
> > > httpd_manage_ipa --> off
> > > httpd_mod_auth_ntlm_winbind --> off
> > > httpd_mod_auth_pam --> off
> > > httpd_read_user_content --> on
> > > httpd_run_ipa --> off
> > > httpd_run_preupgrade --> off
> > > httpd_run_stickshift --> off
> > > httpd_serve_cobbler_files --> off
> > > httpd_setrlimit --> off
> > > httpd_ssi_exec --> off
> > > httpd_sys_script_anon_write --> off
> > > httpd_tmp_exec --> off
> > > httpd_tty_comm --> on
> > > httpd_unified --> on
> > > httpd_use_cifs --> off
> > > httpd_use_fusefs --> off
> > > httpd_use_gpg --> off
> > > httpd_use_nfs --> off
> > > httpd_use_openstack --> off
> > > httpd_use_sasl --> off
> > > httpd_verify_dns --> off
> > >
> > >
> > > # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> > >
> > > # cat myapache.te
> > > module myapache 0.4;
> > >
> > > require {
> > > type httpd_t;
> > > type httpd_sys_script_t;
> > > type http_port_t;
> > > type mysqld_port_t;
> > > type rpm_var_cache_t;
> > > type kernel_t;
> > > class process { setpgid transition };
> > > class system module_request;
> > > class tcp_socket name_connect;
> > > class dir { read search open getattr };
> > > class file { open read getattr };
> > > }
> > >
> > > allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> > > allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> > > allow httpd_t mysqld_port_t:tcp_socket name_connect;
> > > allow httpd_sys_script_t self:process setpgid;
> > > allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> > > allow httpd_sys_script_t kernel_t:system module_request;
> > >
> > > #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> > > op=security_bounded_transition seresult=denied
> > > oldcontext=system_u:system_r:httpd_t:s0
> > > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > > # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> > > allow httpd_t httpd_sys_script_t:process transition;
> > >
> > >
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 18:23 ` Dominick Grift
2017-05-22 18:29 ` Dominick Grift
@ 2017-05-22 18:32 ` Chris O'Neil
2017-05-22 18:45 ` Stephen Smalley
2017-05-22 18:33 ` Stephen Smalley
2 siblings, 1 reply; 13+ messages in thread
From: Chris O'Neil @ 2017-05-22 18:32 UTC (permalink / raw)
To: selinux
On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gmail.com> wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
>> On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
>> > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
>> > related
>> > to Apache httpd that I just can't figure out. I have always been
>> > able
>> > to tune policy or alter a boolean, this one has me stumped!
>> >
>> > What I am trying to do: I am trying to deploy a simple, 3 line CGI
>> > script in /var/www/cgi-bin/. Runs fine with enforcement disabled
>> > (see
>> > output below). My custom policy for Apache (see below) comes from my
>> > EL6 environment.
>> >
>> > The normal setroubleshooting tools don't help, as there is only a
>> > single
>> > line in audit.log (of type=SELINUX_ERR)
>> >
>> > This is not happening on latest RHEL 6.9 ...
>> >
>> > Might be related to systemd? I don't see any "NoNewPrivileges"
>> > directives inside /etc/systemd/ though ... weird!
>>
>> Is the filesystem mounted nosuid?
>
> If selinux also uses that message for that scenario then i find that confusing since the message, to me, implies that the issue can be find by adding a type bounds, but i don't think that would work for nosuid mounted slices
Stephen ... /var/www/ was mounted with the "nosuid" option. I forgot
about that ... if I remember correctly, when "nosuid" is set on a
mounted FS, SELinux trans will fail under this condition. This bit me
before, years ago... and I forgot about it.
Everything is working as expected now. If I want to mitigate some
risk, and still use "nosuid" for /var/www/ .... I'll need to split
/var/www/cgi-bin away from /var/www/ ...
Thank you both for your time and help
-chris
>>
>> >
>> > Many thanks for your help!
>> > -chris
>> >
>> >
>> > #####################################################################
>> > ###
>> > # With enforcement disabled ... all is good (as expected)
>> > #####################################################################
>> > ###
>> >
>> > # ls -laZ /var/www/cgi-bin/
>> > drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
>> > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
>> > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
>> > ok.cgi
>> >
>> > # setenforce 0
>> > # systemctl restart httpd.service
>> > $ curl localhost/cgi-bin/ok.cgi
>> > OK
>> >
>> >
>> > #####################################################################
>> > ###
>> > # With enforcement enabled ... CGI script fails, all you find is a
>> > # single deny in /var/log/audit/audit.log
>> > #####################################################################
>> > ###
>> >
>> > # setenforce 1
>> > # systemctl restart httpd.service
>> >
>> > # getenforce
>> > Enforcing
>> >
>> > $ curl localhost/cgi-bin/ok.cgi
>> > <html><head><title>500 Server Error</title></head><body><h1>Server
>> > Error</h1></body></html>
>> >
>> > # tail /var/log/audit/audit.log | grep denied
>> > type=SELINUX_ERR msg=audit(1495468154.591:121695):
>> > op=security_bounded_transition seresult=denied
>> > oldcontext=system_u:system_r:httpd_t:s0
>> > newcontext=system_u:system_r:httpd_sys_script_t:s0
>> >
>> >
>> > #####################################################################
>> > ###
>> > # System details ...
>> > #####################################################################
>> > ###
>> >
>> > # uname -r
>> > 3.10.0-514.16.1.el7.x86_64
>> >
>> > # cat /etc/redhat-release
>> > Red Hat Enterprise Linux Server release 7.3 (Maipo)
>> >
>> > # sestatus
>> > SELinux status: enabled
>> > SELinuxfs mount: /sys/fs/selinux
>> > SELinux root directory: /etc/selinux
>> > Loaded policy name: targeted
>> > Current mode: enforcing
>> > Mode from config file: enforcing
>> > Policy MLS status: enabled
>> > Policy deny_unknown status: allowed
>> > Max kernel policy version: 28
>> >
>> > # find /etc/ -type f | xargs grep NoNewPrivileges
>> > [NO OUTPUT]
>> >
>> > # getsebool -a | grep httpd_
>> > httpd_anon_write --> on
>> > httpd_builtin_scripting --> on
>> > httpd_can_check_spam --> off
>> > httpd_can_connect_ftp --> off
>> > httpd_can_connect_ldap --> off
>> > httpd_can_connect_mythtv --> off
>> > httpd_can_connect_zabbix --> off
>> > httpd_can_network_connect --> on
>> > httpd_can_network_connect_cobbler --> off
>> > httpd_can_network_connect_db --> on
>> > httpd_can_network_memcache --> off
>> > httpd_can_network_relay --> off
>> > httpd_can_sendmail --> on
>> > httpd_dbus_avahi --> on
>> > httpd_dbus_sssd --> off
>> > httpd_dontaudit_search_dirs --> off
>> > httpd_enable_cgi --> on
>> > httpd_enable_ftp_server --> off
>> > httpd_enable_homedirs --> off
>> > httpd_execmem --> off
>> > httpd_graceful_shutdown --> on
>> > httpd_manage_ipa --> off
>> > httpd_mod_auth_ntlm_winbind --> off
>> > httpd_mod_auth_pam --> off
>> > httpd_read_user_content --> on
>> > httpd_run_ipa --> off
>> > httpd_run_preupgrade --> off
>> > httpd_run_stickshift --> off
>> > httpd_serve_cobbler_files --> off
>> > httpd_setrlimit --> off
>> > httpd_ssi_exec --> off
>> > httpd_sys_script_anon_write --> off
>> > httpd_tmp_exec --> off
>> > httpd_tty_comm --> on
>> > httpd_unified --> on
>> > httpd_use_cifs --> off
>> > httpd_use_fusefs --> off
>> > httpd_use_gpg --> off
>> > httpd_use_nfs --> off
>> > httpd_use_openstack --> off
>> > httpd_use_sasl --> off
>> > httpd_verify_dns --> off
>> >
>> >
>> > # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
>> >
>> > # cat myapache.te
>> > module myapache 0.4;
>> >
>> > require {
>> > type httpd_t;
>> > type httpd_sys_script_t;
>> > type http_port_t;
>> > type mysqld_port_t;
>> > type rpm_var_cache_t;
>> > type kernel_t;
>> > class process { setpgid transition };
>> > class system module_request;
>> > class tcp_socket name_connect;
>> > class dir { read search open getattr };
>> > class file { open read getattr };
>> > }
>> >
>> > allow httpd_t rpm_var_cache_t:dir { read search open getattr };
>> > allow httpd_t rpm_var_cache_t:file { read getattr open } ;
>> > allow httpd_t mysqld_port_t:tcp_socket name_connect;
>> > allow httpd_sys_script_t self:process setpgid;
>> > allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
>> > allow httpd_sys_script_t kernel_t:system module_request;
>> >
>> > #type=SELINUX_ERR msg=audit(1495467001.822:84934):
>> > op=security_bounded_transition seresult=denied
>> > oldcontext=system_u:system_r:httpd_t:s0
>> > newcontext=system_u:system_r:httpd_sys_script_t:s0
>> > # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
>> > allow httpd_t httpd_sys_script_t:process transition;
>> >
>> >
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 18:23 ` Dominick Grift
2017-05-22 18:29 ` Dominick Grift
2017-05-22 18:32 ` Chris O'Neil
@ 2017-05-22 18:33 ` Stephen Smalley
2 siblings, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2017-05-22 18:33 UTC (permalink / raw)
To: Dominick Grift, selinux
On Mon, 2017-05-22 at 20:23 +0200, Dominick Grift wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > > related
> > > to Apache httpd that I just can't figure out. I have always been
> > > able
> > > to tune policy or alter a boolean, this one has me stumped!
> > >
> > > What I am trying to do: I am trying to deploy a simple, 3 line
> > > CGI
> > > script in /var/www/cgi-bin/. Runs fine with enforcement disabled
> > > (see
> > > output below). My custom policy for Apache (see below) comes
> > > from my
> > > EL6 environment.
> > >
> > > The normal setroubleshooting tools don't help, as there is only a
> > > single
> > > line in audit.log (of type=SELINUX_ERR)
> > >
> > > This is not happening on latest RHEL 6.9 ...
> > >
> > > Might be related to systemd? I don't see any "NoNewPrivileges"
> > > directives inside /etc/systemd/ though ... weird!
> >
> > Is the filesystem mounted nosuid?
>
> If selinux also uses that message for that scenario then i find that
> confusing since the message, to me, implies that the issue can be
> find by adding a type bounds, but i don't think that would work for
> nosuid mounted slices
NNP and nosuid are handled in the same way. That said, I'm not sure I
follow the error here, since a default transition on exec should not
cause a failure in this case; we should just fall back to running in
the caller's domain (whether NNP or nosuid). We only fail hard if the
caller explicitly requested a domain transition.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 18:32 ` Chris O'Neil
@ 2017-05-22 18:45 ` Stephen Smalley
2017-05-22 19:05 ` Stephen Smalley
0 siblings, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2017-05-22 18:45 UTC (permalink / raw)
To: Chris O'Neil, selinux
On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gmail.
> com> wrote:
> > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux
> > > > issue
> > > > related
> > > > to Apache httpd that I just can't figure out. I have always
> > > > been
> > > > able
> > > > to tune policy or alter a boolean, this one has me stumped!
> > > >
> > > > What I am trying to do: I am trying to deploy a simple, 3 line
> > > > CGI
> > > > script in /var/www/cgi-bin/. Runs fine with enforcement
> > > > disabled
> > > > (see
> > > > output below). My custom policy for Apache (see below) comes
> > > > from my
> > > > EL6 environment.
> > > >
> > > > The normal setroubleshooting tools don't help, as there is only
> > > > a
> > > > single
> > > > line in audit.log (of type=SELINUX_ERR)
> > > >
> > > > This is not happening on latest RHEL 6.9 ...
> > > >
> > > > Might be related to systemd? I don't see any "NoNewPrivileges"
> > > > directives inside /etc/systemd/ though ... weird!
> > >
> > > Is the filesystem mounted nosuid?
> >
> > If selinux also uses that message for that scenario then i find
> > that confusing since the message, to me, implies that the issue can
> > be find by adding a type bounds, but i don't think that would work
> > for nosuid mounted slices
>
> Stephen ... /var/www/ was mounted with the "nosuid" option. I forgot
> about that ... if I remember correctly, when "nosuid" is set on a
> mounted FS, SELinux trans will fail under this condition. This bit
> me
> before, years ago... and I forgot about it.
I'm still puzzled though, because the transition shouldn't fail
altogether; it should just fall back to staying in httpd_t instead of
httpd_sys_script_t. You'd get the log message but then it would just
proceed under the old domain.
> Everything is working as expected now. If I want to mitigate some
> risk, and still use "nosuid" for /var/www/ .... I'll need to split
> /var/www/cgi-bin away from /var/www/ ...
The other alternative would be to use typebounds, but that likely
wouldn't be straightforward.
>
> Thank you both for your time and help
> -chris
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 18:45 ` Stephen Smalley
@ 2017-05-22 19:05 ` Stephen Smalley
2017-05-22 19:30 ` Stephen Smalley
0 siblings, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2017-05-22 19:05 UTC (permalink / raw)
To: Chris O'Neil, selinux
On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gmai
> > l.
> > com> wrote:
> > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux
> > > > > issue
> > > > > related
> > > > > to Apache httpd that I just can't figure out. I have always
> > > > > been
> > > > > able
> > > > > to tune policy or alter a boolean, this one has me stumped!
> > > > >
> > > > > What I am trying to do: I am trying to deploy a simple, 3
> > > > > line
> > > > > CGI
> > > > > script in /var/www/cgi-bin/. Runs fine with enforcement
> > > > > disabled
> > > > > (see
> > > > > output below). My custom policy for Apache (see below) comes
> > > > > from my
> > > > > EL6 environment.
> > > > >
> > > > > The normal setroubleshooting tools don't help, as there is
> > > > > only
> > > > > a
> > > > > single
> > > > > line in audit.log (of type=SELINUX_ERR)
> > > > >
> > > > > This is not happening on latest RHEL 6.9 ...
> > > > >
> > > > > Might be related to systemd? I don't see any
> > > > > "NoNewPrivileges"
> > > > > directives inside /etc/systemd/ though ... weird!
> > > >
> > > > Is the filesystem mounted nosuid?
> > >
> > > If selinux also uses that message for that scenario then i find
> > > that confusing since the message, to me, implies that the issue
> > > can
> > > be find by adding a type bounds, but i don't think that would
> > > work
> > > for nosuid mounted slices
> >
> > Stephen ... /var/www/ was mounted with the "nosuid" option. I
> > forgot
> > about that ... if I remember correctly, when "nosuid" is set on a
> > mounted FS, SELinux trans will fail under this condition. This bit
> > me
> > before, years ago... and I forgot about it.
>
> I'm still puzzled though, because the transition shouldn't fail
> altogether; it should just fall back to staying in httpd_t instead of
> httpd_sys_script_t. You'd get the log message but then it would just
> proceed under the old domain.
For example, on Fedora:
$ cat /var/www/cgi-bin/foo.cgi
#!/bin/sh
echo "Content-type: text/plain"
echo ""
id -Z
exit 0
$ curl localhost/cgi-bin/foo.cgi
system_u:system_r:httpd_sys_script_t:s0
$ sudo mount --bind /var/www /var/www
$ mount -o remount,nosuid,bind /var/www /var/www
$ sudo service httpd restart
$ curl localhost/cgi-bin/foo.cgi
system_u:system_r:httpd_t:s0
$ sudo umount /var/www
$ sudo ausearch -m SELINUX_ERR,AVC -ts recent
time->Mon May 22 15:03:56 2017
type=PROCTITLE msg=audit(1495479836.876:5483):
proctitle=2F62696E2F7368002F7661722F7777772F6367692D62696E2F666F6F2E636
769
type=PATH msg=audit(1495479836.876:5483): item=2 name="/lib64/ld-linux-
x86-64.so.2" inode=2623178 dev=fd:01 mode=0100755 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PATH msg=audit(1495479836.876:5483): item=1 name="/bin/sh"
inode=2646852 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1495479836.876:5483): item=0 name="/var/www/cgi-
bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0
rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0
nametype=NORMAL
type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin"
type=EXECVE msg=audit(1495479836.876:5483): argc=2 a0="/bin/sh"
a1="/var/www/cgi-bin/foo.cgi"
type=SYSCALL msg=audit(1495479836.876:5483): arch=c000003e syscall=59
success=yes exit=0 a0=560095ae07e8 a1=560095ae3d00 a2=560095ae3d18 a3=8
items=3 ppid=10885 pid=10925 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="foo.cgi" exe="/usr/bin/bash" subj=system_u:system_r:httpd_t:s0
key=(null)
type=SELINUX_ERR msg=audit(1495479836.876:5483):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0
So I don't get a hard failure; it logs the error but just devolves to
staying in httpd_t.
Can you reproduce the above on your RHEL7.3 system?
>
> > Everything is working as expected now. If I want to mitigate some
> > risk, and still use "nosuid" for /var/www/ .... I'll need to split
> > /var/www/cgi-bin away from /var/www/ ...
>
> The other alternative would be to use typebounds, but that likely
> wouldn't be straightforward.
>
> >
> > Thank you both for your time and help
> > -chris
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 19:05 ` Stephen Smalley
@ 2017-05-22 19:30 ` Stephen Smalley
2017-05-22 20:52 ` Stephen Smalley
0 siblings, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2017-05-22 19:30 UTC (permalink / raw)
To: Chris O'Neil, selinux
On Mon, 2017-05-22 at 15:05 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gm
> > > ai
> > > l.
> > > com> wrote:
> > > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley
> > > > wrote:
> > > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux
> > > > > > issue
> > > > > > related
> > > > > > to Apache httpd that I just can't figure out. I have
> > > > > > always
> > > > > > been
> > > > > > able
> > > > > > to tune policy or alter a boolean, this one has me stumped!
> > > > > >
> > > > > > What I am trying to do: I am trying to deploy a simple, 3
> > > > > > line
> > > > > > CGI
> > > > > > script in /var/www/cgi-bin/. Runs fine with enforcement
> > > > > > disabled
> > > > > > (see
> > > > > > output below). My custom policy for Apache (see below)
> > > > > > comes
> > > > > > from my
> > > > > > EL6 environment.
> > > > > >
> > > > > > The normal setroubleshooting tools don't help, as there is
> > > > > > only
> > > > > > a
> > > > > > single
> > > > > > line in audit.log (of type=SELINUX_ERR)
> > > > > >
> > > > > > This is not happening on latest RHEL 6.9 ...
> > > > > >
> > > > > > Might be related to systemd? I don't see any
> > > > > > "NoNewPrivileges"
> > > > > > directives inside /etc/systemd/ though ... weird!
> > > > >
> > > > > Is the filesystem mounted nosuid?
> > > >
> > > > If selinux also uses that message for that scenario then i find
> > > > that confusing since the message, to me, implies that the issue
> > > > can
> > > > be find by adding a type bounds, but i don't think that would
> > > > work
> > > > for nosuid mounted slices
> > >
> > > Stephen ... /var/www/ was mounted with the "nosuid" option. I
> > > forgot
> > > about that ... if I remember correctly, when "nosuid" is set on a
> > > mounted FS, SELinux trans will fail under this condition. This
> > > bit
> > > me
> > > before, years ago... and I forgot about it.
> >
> > I'm still puzzled though, because the transition shouldn't fail
> > altogether; it should just fall back to staying in httpd_t instead
> > of
> > httpd_sys_script_t. You'd get the log message but then it would
> > just
> > proceed under the old domain.
>
> For example, on Fedora:
> $ cat /var/www/cgi-bin/foo.cgi
> #!/bin/sh
> echo "Content-type: text/plain"
> echo ""
> id -Z
> exit 0
> $ curl localhost/cgi-bin/foo.cgi
> system_u:system_r:httpd_sys_script_t:s0
> $ sudo mount --bind /var/www /var/www
> $ mount -o remount,nosuid,bind /var/www /var/www
> $ sudo service httpd restart
> $ curl localhost/cgi-bin/foo.cgi
> system_u:system_r:httpd_t:s0
> $ sudo umount /var/www
> $ sudo ausearch -m SELINUX_ERR,AVC -ts recent
> time->Mon May 22 15:03:56 2017
> type=PROCTITLE msg=audit(1495479836.876:5483):
> proctitle=2F62696E2F7368002F7661722F7777772F6367692D62696E2F666F6F2E6
> 36
> 769
> type=PATH msg=audit(1495479836.876:5483): item=2 name="/lib64/ld-
> linux-
> x86-64.so.2" inode=2623178 dev=fd:01 mode=0100755 ouid=0 ogid=0
> rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
> type=PATH msg=audit(1495479836.876:5483): item=1 name="/bin/sh"
> inode=2646852 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
> type=PATH msg=audit(1495479836.876:5483): item=0 name="/var/www/cgi-
> bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0
> rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0
> nametype=NORMAL
> type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin"
> type=EXECVE msg=audit(1495479836.876:5483): argc=2 a0="/bin/sh"
> a1="/var/www/cgi-bin/foo.cgi"
> type=SYSCALL msg=audit(1495479836.876:5483): arch=c000003e syscall=59
> success=yes exit=0 a0=560095ae07e8 a1=560095ae3d00 a2=560095ae3d18
> a3=8
> items=3 ppid=10885 pid=10925 auid=4294967295 uid=48 gid=48 euid=48
> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="foo.cgi" exe="/usr/bin/bash" subj=system_u:system_r:httpd_t:s0
> key=(null)
> type=SELINUX_ERR msg=audit(1495479836.876:5483):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
>
> So I don't get a hard failure; it logs the error but just devolves to
> staying in httpd_t.
>
> Can you reproduce the above on your RHEL7.3 system?
Oh, I see - it will fail on the execute_no_trans permission check,
since policy doesn't allow httpd_t to execute httpd_sys_script_exec_t
without changing domains. So that's correct behavior. But you should
have had an AVC message on that.
Now I have to figure out why Fedora didn't deny it...
>
> >
> > > Everything is working as expected now. If I want to mitigate
> > > some
> > > risk, and still use "nosuid" for /var/www/ .... I'll need to
> > > split
> > > /var/www/cgi-bin away from /var/www/ ...
> >
> > The other alternative would be to use typebounds, but that likely
> > wouldn't be straightforward.
> >
> > >
> > > Thank you both for your time and help
> > > -chris
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied
2017-05-22 19:30 ` Stephen Smalley
@ 2017-05-22 20:52 ` Stephen Smalley
0 siblings, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2017-05-22 20:52 UTC (permalink / raw)
To: Chris O'Neil, selinux
On Mon, 2017-05-22 at 15:30 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 15:05 -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> > > On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > > > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@
> > > > gm
> > > > ai
> > > > l.
> > > > com> wrote:
> > > > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley
> > > > > wrote:
> > > > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > > > > Hi, running latest RHEL 7.3 ... struggling with an
> > > > > > > SELinux
> > > > > > > issue
> > > > > > > related
> > > > > > > to Apache httpd that I just can't figure out. I have
> > > > > > > always
> > > > > > > been
> > > > > > > able
> > > > > > > to tune policy or alter a boolean, this one has me
> > > > > > > stumped!
> > > > > > >
> > > > > > > What I am trying to do: I am trying to deploy a simple, 3
> > > > > > > line
> > > > > > > CGI
> > > > > > > script in /var/www/cgi-bin/. Runs fine with enforcement
> > > > > > > disabled
> > > > > > > (see
> > > > > > > output below). My custom policy for Apache (see below)
> > > > > > > comes
> > > > > > > from my
> > > > > > > EL6 environment.
> > > > > > >
> > > > > > > The normal setroubleshooting tools don't help, as there
> > > > > > > is
> > > > > > > only
> > > > > > > a
> > > > > > > single
> > > > > > > line in audit.log (of type=SELINUX_ERR)
> > > > > > >
> > > > > > > This is not happening on latest RHEL 6.9 ...
> > > > > > >
> > > > > > > Might be related to systemd? I don't see any
> > > > > > > "NoNewPrivileges"
> > > > > > > directives inside /etc/systemd/ though ... weird!
> > > > > >
> > > > > > Is the filesystem mounted nosuid?
> > > > >
> > > > > If selinux also uses that message for that scenario then i
> > > > > find
> > > > > that confusing since the message, to me, implies that the
> > > > > issue
> > > > > can
> > > > > be find by adding a type bounds, but i don't think that would
> > > > > work
> > > > > for nosuid mounted slices
> > > >
> > > > Stephen ... /var/www/ was mounted with the "nosuid" option. I
> > > > forgot
> > > > about that ... if I remember correctly, when "nosuid" is set on
> > > > a
> > > > mounted FS, SELinux trans will fail under this condition. This
> > > > bit
> > > > me
> > > > before, years ago... and I forgot about it.
> > >
> > > I'm still puzzled though, because the transition shouldn't fail
> > > altogether; it should just fall back to staying in httpd_t
> > > instead
> > > of
> > > httpd_sys_script_t. You'd get the log message but then it would
> > > just
> > > proceed under the old domain.
> >
> > For example, on Fedora:
> > $ cat /var/www/cgi-bin/foo.cgi
> > #!/bin/sh
> > echo "Content-type: text/plain"
> > echo ""
> > id -Z
> > exit 0
> > $ curl localhost/cgi-bin/foo.cgi
> > system_u:system_r:httpd_sys_script_t:s0
> > $ sudo mount --bind /var/www /var/www
> > $ mount -o remount,nosuid,bind /var/www /var/www
> > $ sudo service httpd restart
> > $ curl localhost/cgi-bin/foo.cgi
> > system_u:system_r:httpd_t:s0
> > $ sudo umount /var/www
> > $ sudo ausearch -m SELINUX_ERR,AVC -ts recent
> > time->Mon May 22 15:03:56 2017
> > type=PROCTITLE msg=audit(1495479836.876:5483):
> > proctitle=2F62696E2F7368002F7661722F7777772F6367692D62696E2F666F6F2
> > E6
> > 36
> > 769
> > type=PATH msg=audit(1495479836.876:5483): item=2 name="/lib64/ld-
> > linux-
> > x86-64.so.2" inode=2623178 dev=fd:01 mode=0100755 ouid=0 ogid=0
> > rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
> > type=PATH msg=audit(1495479836.876:5483): item=1 name="/bin/sh"
> > inode=2646852 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
> > type=PATH msg=audit(1495479836.876:5483): item=0
> > name="/var/www/cgi-
> > bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0
> > rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0
> > nametype=NORMAL
> > type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin"
> > type=EXECVE msg=audit(1495479836.876:5483): argc=2 a0="/bin/sh"
> > a1="/var/www/cgi-bin/foo.cgi"
> > type=SYSCALL msg=audit(1495479836.876:5483): arch=c000003e
> > syscall=59
> > success=yes exit=0 a0=560095ae07e8 a1=560095ae3d00 a2=560095ae3d18
> > a3=8
> > items=3 ppid=10885 pid=10925 auid=4294967295 uid=48 gid=48 euid=48
> > suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> > comm="foo.cgi" exe="/usr/bin/bash"
> > subj=system_u:system_r:httpd_t:s0
> > key=(null)
> > type=SELINUX_ERR msg=audit(1495479836.876:5483):
> > op=security_bounded_transition seresult=denied
> > oldcontext=system_u:system_r:httpd_t:s0
> > newcontext=system_u:system_r:httpd_sys_script_t:s0
> >
> > So I don't get a hard failure; it logs the error but just devolves
> > to
> > staying in httpd_t.
> >
> > Can you reproduce the above on your RHEL7.3 system?
>
> Oh, I see - it will fail on the execute_no_trans permission check,
> since policy doesn't allow httpd_t to execute httpd_sys_script_exec_t
> without changing domains. So that's correct behavior. But you
> should
> have had an AVC message on that.
Sigh...it seems to be dontaudit'd in Fedora policy. semodule -DB would
have shown it.
>
> Now I have to figure out why Fedora didn't deny it...
Seems to have been cruft in the test environment; now working as
expected.
>
> >
> > >
> > > > Everything is working as expected now. If I want to mitigate
> > > > some
> > > > risk, and still use "nosuid" for /var/www/ .... I'll need to
> > > > split
> > > > /var/www/cgi-bin away from /var/www/ ...
> > >
> > > The other alternative would be to use typebounds, but that likely
> > > wouldn't be straightforward.
> > >
> > > >
> > > > Thank you both for your time and help
> > > > -chris
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2017-05-22 20:52 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-05-22 16:29 RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied Chris O'Neil
2017-05-22 16:58 ` Dominick Grift
2017-05-22 17:16 ` Chris O'Neil
2017-05-22 17:35 ` Dominick Grift
2017-05-22 18:18 ` Stephen Smalley
2017-05-22 18:23 ` Dominick Grift
2017-05-22 18:29 ` Dominick Grift
2017-05-22 18:32 ` Chris O'Neil
2017-05-22 18:45 ` Stephen Smalley
2017-05-22 19:05 ` Stephen Smalley
2017-05-22 19:30 ` Stephen Smalley
2017-05-22 20:52 ` Stephen Smalley
2017-05-22 18:33 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.