RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Chris O'Neil]

Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
to Apache httpd that I just can't figure out.  I have always been able
to tune policy or alter a boolean, this one has me stumped!

What I am trying to do: I am trying to deploy a simple, 3 line CGI
script in /var/www/cgi-bin/.  Runs fine with enforcement disabled (see
output below).  My custom policy for Apache (see below) comes from my
EL6 environment.

The normal setroubleshooting tools don't help, as there is only a single
line in audit.log (of type=SELINUX_ERR)

This is not happening on latest RHEL 6.9 ...

Might be related to systemd?  I don't see any "NoNewPrivileges"
directives inside /etc/systemd/ though ... weird!

Many thanks for your help!
-chris


########################################################################
# With enforcement disabled ... all is good (as expected)
########################################################################

# ls -laZ /var/www/cgi-bin/
drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi

# setenforce 0
# systemctl restart httpd.service
$ curl localhost/cgi-bin/ok.cgi
OK


########################################################################
# With enforcement enabled ... CGI script fails, all you find is a
# single deny in /var/log/audit/audit.log
########################################################################

# setenforce 1
# systemctl restart httpd.service

# getenforce
Enforcing

$ curl localhost/cgi-bin/ok.cgi
<html><head><title>500 Server Error</title></head><body><h1>Server
Error</h1></body></html>

# tail /var/log/audit/audit.log | grep denied
type=SELINUX_ERR msg=audit(1495468154.591:121695):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0


########################################################################
# System details ...
########################################################################

# uname -r
3.10.0-514.16.1.el7.x86_64

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

# find /etc/ -type f | xargs grep NoNewPrivileges
[NO OUTPUT]

# getsebool -a | grep httpd_
httpd_anon_write --> on
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> on
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> on
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> on
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off


# THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...

# cat myapache.te
module myapache 0.4;

require {
        type httpd_t;
        type httpd_sys_script_t;
        type http_port_t;
        type mysqld_port_t;
        type rpm_var_cache_t;
        type kernel_t;
        class process { setpgid transition };
        class system module_request;
        class tcp_socket name_connect;
        class dir { read search open getattr };
        class file { open read getattr };
}

allow httpd_t rpm_var_cache_t:dir { read search open getattr };
allow httpd_t rpm_var_cache_t:file { read getattr open } ;
allow httpd_t mysqld_port_t:tcp_socket name_connect;
allow httpd_sys_script_t self:process setpgid;
allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
allow httpd_sys_script_t kernel_t:system module_request;

#type=SELINUX_ERR msg=audit(1495467001.822:84934):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0
# THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
allow httpd_t httpd_sys_script_t:process transition;

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 5872 bytes --]

On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
> to Apache httpd that I just can't figure out.  I have always been able
> to tune policy or alter a boolean, this one has me stumped!
> 
> What I am trying to do: I am trying to deploy a simple, 3 line CGI
> script in /var/www/cgi-bin/.  Runs fine with enforcement disabled (see
> output below).  My custom policy for Apache (see below) comes from my
> EL6 environment.
> 
> The normal setroubleshooting tools don't help, as there is only a single
> line in audit.log (of type=SELINUX_ERR)
> 
> This is not happening on latest RHEL 6.9 ...
> 
> Might be related to systemd?  I don't see any "NoNewPrivileges"
> directives inside /etc/systemd/ though ... weird!

try grepping /usr/lib/systemd as well
also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK

> 
> Many thanks for your help!
> -chris
> 
> 
> ########################################################################
> # With enforcement disabled ... all is good (as expected)
> ########################################################################
> 
> # ls -laZ /var/www/cgi-bin/
> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
> 
> # setenforce 0
> # systemctl restart httpd.service
> $ curl localhost/cgi-bin/ok.cgi
> OK
> 
> 
> ########################################################################
> # With enforcement enabled ... CGI script fails, all you find is a
> # single deny in /var/log/audit/audit.log
> ########################################################################
> 
> # setenforce 1
> # systemctl restart httpd.service
> 
> # getenforce
> Enforcing
> 
> $ curl localhost/cgi-bin/ok.cgi
> <html><head><title>500 Server Error</title></head><body><h1>Server
> Error</h1></body></html>
> 
> # tail /var/log/audit/audit.log | grep denied
> type=SELINUX_ERR msg=audit(1495468154.591:121695):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> 
> 
> ########################################################################
> # System details ...
> ########################################################################
> 
> # uname -r
> 3.10.0-514.16.1.el7.x86_64
> 
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.3 (Maipo)
> 
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      28
> 
> # find /etc/ -type f | xargs grep NoNewPrivileges
> [NO OUTPUT]
> 
> # getsebool -a | grep httpd_
> httpd_anon_write --> on
> httpd_builtin_scripting --> on
> httpd_can_check_spam --> off
> httpd_can_connect_ftp --> off
> httpd_can_connect_ldap --> off
> httpd_can_connect_mythtv --> off
> httpd_can_connect_zabbix --> off
> httpd_can_network_connect --> on
> httpd_can_network_connect_cobbler --> off
> httpd_can_network_connect_db --> on
> httpd_can_network_memcache --> off
> httpd_can_network_relay --> off
> httpd_can_sendmail --> on
> httpd_dbus_avahi --> on
> httpd_dbus_sssd --> off
> httpd_dontaudit_search_dirs --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> off
> httpd_execmem --> off
> httpd_graceful_shutdown --> on
> httpd_manage_ipa --> off
> httpd_mod_auth_ntlm_winbind --> off
> httpd_mod_auth_pam --> off
> httpd_read_user_content --> on
> httpd_run_ipa --> off
> httpd_run_preupgrade --> off
> httpd_run_stickshift --> off
> httpd_serve_cobbler_files --> off
> httpd_setrlimit --> off
> httpd_ssi_exec --> off
> httpd_sys_script_anon_write --> off
> httpd_tmp_exec --> off
> httpd_tty_comm --> on
> httpd_unified --> on
> httpd_use_cifs --> off
> httpd_use_fusefs --> off
> httpd_use_gpg --> off
> httpd_use_nfs --> off
> httpd_use_openstack --> off
> httpd_use_sasl --> off
> httpd_verify_dns --> off
> 
> 
> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> 
> # cat myapache.te
> module myapache 0.4;
> 
> require {
>         type httpd_t;
>         type httpd_sys_script_t;
>         type http_port_t;
>         type mysqld_port_t;
>         type rpm_var_cache_t;
>         type kernel_t;
>         class process { setpgid transition };
>         class system module_request;
>         class tcp_socket name_connect;
>         class dir { read search open getattr };
>         class file { open read getattr };
> }
> 
> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t self:process setpgid;
> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t kernel_t:system module_request;
> 
> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> allow httpd_t httpd_sys_script_t:process transition;
> 
> 
> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Chris O'Neil]

On 05/22/2017 09:58 AM, Dominick Grift wrote:
> On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
>> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
>> to Apache httpd that I just can't figure out.  I have always been able
>> to tune policy or alter a boolean, this one has me stumped!
>>
>> What I am trying to do: I am trying to deploy a simple, 3 line CGI
>> script in /var/www/cgi-bin/.  Runs fine with enforcement disabled (see
>> output below).  My custom policy for Apache (see below) comes from my
>> EL6 environment.
>>
>> The normal setroubleshooting tools don't help, as there is only a single
>> line in audit.log (of type=SELINUX_ERR)
>>
>> This is not happening on latest RHEL 6.9 ...
>>
>> Might be related to systemd?  I don't see any "NoNewPrivileges"
>> directives inside /etc/systemd/ though ... weird!

> 
> try grepping /usr/lib/systemd as well
> also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK

Dominick, I did find the "NoNewPrivileges" directive inside of
/usr/lib/systemd/system/systemd-importd.service ... commented it out,
rebooted just to be safe ... no luck ... same problem as before, same
message in /var/log/audit/audit.log.  Also tried changing the value from
"Yes" to "No" and rebooting, that didn't help.

$ curl localhost/cgi-bin/ok.cgi
<html><head><title>500 Server Error</title></head><body><h1>Server
Error</h1></body></html>

# tail /var/log/audit/audit.log | grep denied
type=SELINUX_ERR msg=audit(1495473331.188:183):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0

Confirmed I do not have "mod_selinux" enabled ... this is a pretty
vanilla deployment of RHEL 7 and Apache httpd

Thanks!
-chris

> 
>>
>> Many thanks for your help!
>> -chris
>>
>>
>> ########################################################################
>> # With enforcement disabled ... all is good (as expected)
>> ########################################################################
>>
>> # ls -laZ /var/www/cgi-bin/
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
>> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
>> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
>>
>> # setenforce 0
>> # systemctl restart httpd.service
>> $ curl localhost/cgi-bin/ok.cgi
>> OK
>>
>>
>> ########################################################################
>> # With enforcement enabled ... CGI script fails, all you find is a
>> # single deny in /var/log/audit/audit.log
>> ########################################################################
>>
>> # setenforce 1
>> # systemctl restart httpd.service
>>
>> # getenforce
>> Enforcing
>>
>> $ curl localhost/cgi-bin/ok.cgi
>> <html><head><title>500 Server Error</title></head><body><h1>Server
>> Error</h1></body></html>
>>
>> # tail /var/log/audit/audit.log | grep denied
>> type=SELINUX_ERR msg=audit(1495468154.591:121695):
>> op=security_bounded_transition seresult=denied
>> oldcontext=system_u:system_r:httpd_t:s0
>> newcontext=system_u:system_r:httpd_sys_script_t:s0
>>
>>
>> ########################################################################
>> # System details ...
>> ########################################################################
>>
>> # uname -r
>> 3.10.0-514.16.1.el7.x86_64
>>
>> # cat /etc/redhat-release
>> Red Hat Enterprise Linux Server release 7.3 (Maipo)
>>
>> # sestatus
>> SELinux status:                 enabled
>> SELinuxfs mount:                /sys/fs/selinux
>> SELinux root directory:         /etc/selinux
>> Loaded policy name:             targeted
>> Current mode:                   enforcing
>> Mode from config file:          enforcing
>> Policy MLS status:              enabled
>> Policy deny_unknown status:     allowed
>> Max kernel policy version:      28
>>
>> # find /etc/ -type f | xargs grep NoNewPrivileges
>> [NO OUTPUT]
>>
>> # getsebool -a | grep httpd_
>> httpd_anon_write --> on
>> httpd_builtin_scripting --> on
>> httpd_can_check_spam --> off
>> httpd_can_connect_ftp --> off
>> httpd_can_connect_ldap --> off
>> httpd_can_connect_mythtv --> off
>> httpd_can_connect_zabbix --> off
>> httpd_can_network_connect --> on
>> httpd_can_network_connect_cobbler --> off
>> httpd_can_network_connect_db --> on
>> httpd_can_network_memcache --> off
>> httpd_can_network_relay --> off
>> httpd_can_sendmail --> on
>> httpd_dbus_avahi --> on
>> httpd_dbus_sssd --> off
>> httpd_dontaudit_search_dirs --> off
>> httpd_enable_cgi --> on
>> httpd_enable_ftp_server --> off
>> httpd_enable_homedirs --> off
>> httpd_execmem --> off
>> httpd_graceful_shutdown --> on
>> httpd_manage_ipa --> off
>> httpd_mod_auth_ntlm_winbind --> off
>> httpd_mod_auth_pam --> off
>> httpd_read_user_content --> on
>> httpd_run_ipa --> off
>> httpd_run_preupgrade --> off
>> httpd_run_stickshift --> off
>> httpd_serve_cobbler_files --> off
>> httpd_setrlimit --> off
>> httpd_ssi_exec --> off
>> httpd_sys_script_anon_write --> off
>> httpd_tmp_exec --> off
>> httpd_tty_comm --> on
>> httpd_unified --> on
>> httpd_use_cifs --> off
>> httpd_use_fusefs --> off
>> httpd_use_gpg --> off
>> httpd_use_nfs --> off
>> httpd_use_openstack --> off
>> httpd_use_sasl --> off
>> httpd_verify_dns --> off
>>
>>
>> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
>>
>> # cat myapache.te
>> module myapache 0.4;
>>
>> require {
>>         type httpd_t;
>>         type httpd_sys_script_t;
>>         type http_port_t;
>>         type mysqld_port_t;
>>         type rpm_var_cache_t;
>>         type kernel_t;
>>         class process { setpgid transition };
>>         class system module_request;
>>         class tcp_socket name_connect;
>>         class dir { read search open getattr };
>>         class file { open read getattr };
>> }
>>
>> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
>> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
>> allow httpd_t mysqld_port_t:tcp_socket name_connect;
>> allow httpd_sys_script_t self:process setpgid;
>> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
>> allow httpd_sys_script_t kernel_t:system module_request;
>>
>> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
>> op=security_bounded_transition seresult=denied
>> oldcontext=system_u:system_r:httpd_t:s0
>> newcontext=system_u:system_r:httpd_sys_script_t:s0
>> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
>> allow httpd_t httpd_sys_script_t:process transition;
>>
>>
>>
> 

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 7593 bytes --]

On Mon, May 22, 2017 at 10:16:55AM -0700, Chris O'Neil wrote:
> 
> 
> On 05/22/2017 09:58 AM, Dominick Grift wrote:
> > On Mon, May 22, 2017 at 09:29:10AM -0700, Chris O'Neil wrote:
> >> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue related
> >> to Apache httpd that I just can't figure out.  I have always been able
> >> to tune policy or alter a boolean, this one has me stumped!
> >>
> >> What I am trying to do: I am trying to deploy a simple, 3 line CGI
> >> script in /var/www/cgi-bin/.  Runs fine with enforcement disabled (see
> >> output below).  My custom policy for Apache (see below) comes from my
> >> EL6 environment.
> >>
> >> The normal setroubleshooting tools don't help, as there is only a single
> >> line in audit.log (of type=SELINUX_ERR)
> >>
> >> This is not happening on latest RHEL 6.9 ...
> >>
> >> Might be related to systemd?  I don't see any "NoNewPrivileges"
> >> directives inside /etc/systemd/ though ... weird!
> 
> > 
> > try grepping /usr/lib/systemd as well
> > also do you have "mod_selinux" enabled? because that requires a type bounds as well AFAIK
> 
> Dominick, I did find the "NoNewPrivileges" directive inside of
> /usr/lib/systemd/system/systemd-importd.service ... commented it out,
> rebooted just to be safe ... no luck ... same problem as before, same
> message in /var/log/audit/audit.log.  Also tried changing the value from
> "Yes" to "No" and rebooting, that didn't help.

Yes that only applies to systemd-importd (which i suppose no one uses at least not with selinux enabled)

> 
> $ curl localhost/cgi-bin/ok.cgi
> <html><head><title>500 Server Error</title></head><body><h1>Server
> Error</h1></body></html>
> 
> # tail /var/log/audit/audit.log | grep denied
> type=SELINUX_ERR msg=audit(1495473331.188:183):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> 
> Confirmed I do not have "mod_selinux" enabled ... this is a pretty
> vanilla deployment of RHEL 7 and Apache httpd

Are you using any other "exotic"/non-default apache modules? (i suppose not since you already said its pretty vanilla)

> 
> Thanks!
> -chris
> 
> > 
> >>
> >> Many thanks for your help!
> >> -chris
> >>
> >>
> >> ########################################################################
> >> # With enforcement disabled ... all is good (as expected)
> >> ########################################################################
> >>
> >> # ls -laZ /var/www/cgi-bin/
> >> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> >> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> >> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 ok.cgi
> >>
> >> # setenforce 0
> >> # systemctl restart httpd.service
> >> $ curl localhost/cgi-bin/ok.cgi
> >> OK
> >>
> >>
> >> ########################################################################
> >> # With enforcement enabled ... CGI script fails, all you find is a
> >> # single deny in /var/log/audit/audit.log
> >> ########################################################################
> >>
> >> # setenforce 1
> >> # systemctl restart httpd.service
> >>
> >> # getenforce
> >> Enforcing
> >>
> >> $ curl localhost/cgi-bin/ok.cgi
> >> <html><head><title>500 Server Error</title></head><body><h1>Server
> >> Error</h1></body></html>
> >>
> >> # tail /var/log/audit/audit.log | grep denied
> >> type=SELINUX_ERR msg=audit(1495468154.591:121695):
> >> op=security_bounded_transition seresult=denied
> >> oldcontext=system_u:system_r:httpd_t:s0
> >> newcontext=system_u:system_r:httpd_sys_script_t:s0
> >>
> >>
> >> ########################################################################
> >> # System details ...
> >> ########################################################################
> >>
> >> # uname -r
> >> 3.10.0-514.16.1.el7.x86_64
> >>
> >> # cat /etc/redhat-release
> >> Red Hat Enterprise Linux Server release 7.3 (Maipo)
> >>
> >> # sestatus
> >> SELinux status:                 enabled
> >> SELinuxfs mount:                /sys/fs/selinux
> >> SELinux root directory:         /etc/selinux
> >> Loaded policy name:             targeted
> >> Current mode:                   enforcing
> >> Mode from config file:          enforcing
> >> Policy MLS status:              enabled
> >> Policy deny_unknown status:     allowed
> >> Max kernel policy version:      28
> >>
> >> # find /etc/ -type f | xargs grep NoNewPrivileges
> >> [NO OUTPUT]
> >>
> >> # getsebool -a | grep httpd_
> >> httpd_anon_write --> on
> >> httpd_builtin_scripting --> on
> >> httpd_can_check_spam --> off
> >> httpd_can_connect_ftp --> off
> >> httpd_can_connect_ldap --> off
> >> httpd_can_connect_mythtv --> off
> >> httpd_can_connect_zabbix --> off
> >> httpd_can_network_connect --> on
> >> httpd_can_network_connect_cobbler --> off
> >> httpd_can_network_connect_db --> on
> >> httpd_can_network_memcache --> off
> >> httpd_can_network_relay --> off
> >> httpd_can_sendmail --> on
> >> httpd_dbus_avahi --> on
> >> httpd_dbus_sssd --> off
> >> httpd_dontaudit_search_dirs --> off
> >> httpd_enable_cgi --> on
> >> httpd_enable_ftp_server --> off
> >> httpd_enable_homedirs --> off
> >> httpd_execmem --> off
> >> httpd_graceful_shutdown --> on
> >> httpd_manage_ipa --> off
> >> httpd_mod_auth_ntlm_winbind --> off
> >> httpd_mod_auth_pam --> off
> >> httpd_read_user_content --> on
> >> httpd_run_ipa --> off
> >> httpd_run_preupgrade --> off
> >> httpd_run_stickshift --> off
> >> httpd_serve_cobbler_files --> off
> >> httpd_setrlimit --> off
> >> httpd_ssi_exec --> off
> >> httpd_sys_script_anon_write --> off
> >> httpd_tmp_exec --> off
> >> httpd_tty_comm --> on
> >> httpd_unified --> on
> >> httpd_use_cifs --> off
> >> httpd_use_fusefs --> off
> >> httpd_use_gpg --> off
> >> httpd_use_nfs --> off
> >> httpd_use_openstack --> off
> >> httpd_use_sasl --> off
> >> httpd_verify_dns --> off
> >>
> >>
> >> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> >>
> >> # cat myapache.te
> >> module myapache 0.4;
> >>
> >> require {
> >>         type httpd_t;
> >>         type httpd_sys_script_t;
> >>         type http_port_t;
> >>         type mysqld_port_t;
> >>         type rpm_var_cache_t;
> >>         type kernel_t;
> >>         class process { setpgid transition };
> >>         class system module_request;
> >>         class tcp_socket name_connect;
> >>         class dir { read search open getattr };
> >>         class file { open read getattr };
> >> }
> >>
> >> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> >> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> >> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> >> allow httpd_sys_script_t self:process setpgid;
> >> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> >> allow httpd_sys_script_t kernel_t:system module_request;
> >>
> >> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> >> op=security_bounded_transition seresult=denied
> >> oldcontext=system_u:system_r:httpd_t:s0
> >> newcontext=system_u:system_r:httpd_sys_script_t:s0
> >> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> >> allow httpd_t httpd_sys_script_t:process transition;
> >>
> >>
> >>
> > 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Stephen Smalley]

On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> related
> to Apache httpd that I just can't figure out.  I have always been
> able
> to tune policy or alter a boolean, this one has me stumped!
> 
> What I am trying to do: I am trying to deploy a simple, 3 line CGI
> script in /var/www/cgi-bin/.  Runs fine with enforcement disabled
> (see
> output below).  My custom policy for Apache (see below) comes from my
> EL6 environment.
> 
> The normal setroubleshooting tools don't help, as there is only a
> single
> line in audit.log (of type=SELINUX_ERR)
> 
> This is not happening on latest RHEL 6.9 ...
> 
> Might be related to systemd?  I don't see any "NoNewPrivileges"
> directives inside /etc/systemd/ though ... weird!

Is the filesystem mounted nosuid?

> 
> Many thanks for your help!
> -chris
> 
> 
> #####################################################################
> ###
> # With enforcement disabled ... all is good (as expected)
> #####################################################################
> ###
> 
> # ls -laZ /var/www/cgi-bin/
> drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> ok.cgi
> 
> # setenforce 0
> # systemctl restart httpd.service
> $ curl localhost/cgi-bin/ok.cgi
> OK
> 
> 
> #####################################################################
> ###
> # With enforcement enabled ... CGI script fails, all you find is a
> # single deny in /var/log/audit/audit.log
> #####################################################################
> ###
> 
> # setenforce 1
> # systemctl restart httpd.service
> 
> # getenforce
> Enforcing
> 
> $ curl localhost/cgi-bin/ok.cgi
> <html><head><title>500 Server Error</title></head><body><h1>Server
> Error</h1></body></html>
> 
> # tail /var/log/audit/audit.log | grep denied
> type=SELINUX_ERR msg=audit(1495468154.591:121695):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> 
> 
> #####################################################################
> ###
> # System details ...
> #####################################################################
> ###
> 
> # uname -r
> 3.10.0-514.16.1.el7.x86_64
> 
> # cat /etc/redhat-release
> Red Hat Enterprise Linux Server release 7.3 (Maipo)
> 
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /sys/fs/selinux
> SELinux root directory:         /etc/selinux
> Loaded policy name:             targeted
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy MLS status:              enabled
> Policy deny_unknown status:     allowed
> Max kernel policy version:      28
> 
> # find /etc/ -type f | xargs grep NoNewPrivileges
> [NO OUTPUT]
> 
> # getsebool -a | grep httpd_
> httpd_anon_write --> on
> httpd_builtin_scripting --> on
> httpd_can_check_spam --> off
> httpd_can_connect_ftp --> off
> httpd_can_connect_ldap --> off
> httpd_can_connect_mythtv --> off
> httpd_can_connect_zabbix --> off
> httpd_can_network_connect --> on
> httpd_can_network_connect_cobbler --> off
> httpd_can_network_connect_db --> on
> httpd_can_network_memcache --> off
> httpd_can_network_relay --> off
> httpd_can_sendmail --> on
> httpd_dbus_avahi --> on
> httpd_dbus_sssd --> off
> httpd_dontaudit_search_dirs --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> off
> httpd_execmem --> off
> httpd_graceful_shutdown --> on
> httpd_manage_ipa --> off
> httpd_mod_auth_ntlm_winbind --> off
> httpd_mod_auth_pam --> off
> httpd_read_user_content --> on
> httpd_run_ipa --> off
> httpd_run_preupgrade --> off
> httpd_run_stickshift --> off
> httpd_serve_cobbler_files --> off
> httpd_setrlimit --> off
> httpd_ssi_exec --> off
> httpd_sys_script_anon_write --> off
> httpd_tmp_exec --> off
> httpd_tty_comm --> on
> httpd_unified --> on
> httpd_use_cifs --> off
> httpd_use_fusefs --> off
> httpd_use_gpg --> off
> httpd_use_nfs --> off
> httpd_use_openstack --> off
> httpd_use_sasl --> off
> httpd_verify_dns --> off
> 
> 
> # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> 
> # cat myapache.te
> module myapache 0.4;
> 
> require {
>         type httpd_t;
>         type httpd_sys_script_t;
>         type http_port_t;
>         type mysqld_port_t;
>         type rpm_var_cache_t;
>         type kernel_t;
>         class process { setpgid transition };
>         class system module_request;
>         class tcp_socket name_connect;
>         class dir { read search open getattr };
>         class file { open read getattr };
> }
> 
> allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> allow httpd_t mysqld_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t self:process setpgid;
> allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> allow httpd_sys_script_t kernel_t:system module_request;
> 
> #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> allow httpd_t httpd_sys_script_t:process transition;
> 
> 

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 6451 bytes --]

On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > related
> > to Apache httpd that I just can't figure out.  I have always been
> > able
> > to tune policy or alter a boolean, this one has me stumped!
> > 
> > What I am trying to do: I am trying to deploy a simple, 3 line CGI
> > script in /var/www/cgi-bin/.  Runs fine with enforcement disabled
> > (see
> > output below).  My custom policy for Apache (see below) comes from my
> > EL6 environment.
> > 
> > The normal setroubleshooting tools don't help, as there is only a
> > single
> > line in audit.log (of type=SELINUX_ERR)
> > 
> > This is not happening on latest RHEL 6.9 ...
> > 
> > Might be related to systemd?  I don't see any "NoNewPrivileges"
> > directives inside /etc/systemd/ though ... weird!
> 
> Is the filesystem mounted nosuid?

If selinux also uses that message for that scenario then i find that confusing since the message, to me, implies that the issue can be find by adding a type bounds, but i don't think that would work for nosuid mounted slices
> 
> > 
> > Many thanks for your help!
> > -chris
> > 
> > 
> > #####################################################################
> > ###
> > # With enforcement disabled ... all is good (as expected)
> > #####################################################################
> > ###
> > 
> > # ls -laZ /var/www/cgi-bin/
> > drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> > ok.cgi
> > 
> > # setenforce 0
> > # systemctl restart httpd.service
> > $ curl localhost/cgi-bin/ok.cgi
> > OK
> > 
> > 
> > #####################################################################
> > ###
> > # With enforcement enabled ... CGI script fails, all you find is a
> > # single deny in /var/log/audit/audit.log
> > #####################################################################
> > ###
> > 
> > # setenforce 1
> > # systemctl restart httpd.service
> > 
> > # getenforce
> > Enforcing
> > 
> > $ curl localhost/cgi-bin/ok.cgi
> > <html><head><title>500 Server Error</title></head><body><h1>Server
> > Error</h1></body></html>
> > 
> > # tail /var/log/audit/audit.log | grep denied
> > type=SELINUX_ERR msg=audit(1495468154.591:121695):
> > op=security_bounded_transition seresult=denied
> > oldcontext=system_u:system_r:httpd_t:s0
> > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > 
> > 
> > #####################################################################
> > ###
> > # System details ...
> > #####################################################################
> > ###
> > 
> > # uname -r
> > 3.10.0-514.16.1.el7.x86_64
> > 
> > # cat /etc/redhat-release
> > Red Hat Enterprise Linux Server release 7.3 (Maipo)
> > 
> > # sestatus
> > SELinux status:                 enabled
> > SELinuxfs mount:                /sys/fs/selinux
> > SELinux root directory:         /etc/selinux
> > Loaded policy name:             targeted
> > Current mode:                   enforcing
> > Mode from config file:          enforcing
> > Policy MLS status:              enabled
> > Policy deny_unknown status:     allowed
> > Max kernel policy version:      28
> > 
> > # find /etc/ -type f | xargs grep NoNewPrivileges
> > [NO OUTPUT]
> > 
> > # getsebool -a | grep httpd_
> > httpd_anon_write --> on
> > httpd_builtin_scripting --> on
> > httpd_can_check_spam --> off
> > httpd_can_connect_ftp --> off
> > httpd_can_connect_ldap --> off
> > httpd_can_connect_mythtv --> off
> > httpd_can_connect_zabbix --> off
> > httpd_can_network_connect --> on
> > httpd_can_network_connect_cobbler --> off
> > httpd_can_network_connect_db --> on
> > httpd_can_network_memcache --> off
> > httpd_can_network_relay --> off
> > httpd_can_sendmail --> on
> > httpd_dbus_avahi --> on
> > httpd_dbus_sssd --> off
> > httpd_dontaudit_search_dirs --> off
> > httpd_enable_cgi --> on
> > httpd_enable_ftp_server --> off
> > httpd_enable_homedirs --> off
> > httpd_execmem --> off
> > httpd_graceful_shutdown --> on
> > httpd_manage_ipa --> off
> > httpd_mod_auth_ntlm_winbind --> off
> > httpd_mod_auth_pam --> off
> > httpd_read_user_content --> on
> > httpd_run_ipa --> off
> > httpd_run_preupgrade --> off
> > httpd_run_stickshift --> off
> > httpd_serve_cobbler_files --> off
> > httpd_setrlimit --> off
> > httpd_ssi_exec --> off
> > httpd_sys_script_anon_write --> off
> > httpd_tmp_exec --> off
> > httpd_tty_comm --> on
> > httpd_unified --> on
> > httpd_use_cifs --> off
> > httpd_use_fusefs --> off
> > httpd_use_gpg --> off
> > httpd_use_nfs --> off
> > httpd_use_openstack --> off
> > httpd_use_sasl --> off
> > httpd_verify_dns --> off
> > 
> > 
> > # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> > 
> > # cat myapache.te
> > module myapache 0.4;
> > 
> > require {
> >         type httpd_t;
> >         type httpd_sys_script_t;
> >         type http_port_t;
> >         type mysqld_port_t;
> >         type rpm_var_cache_t;
> >         type kernel_t;
> >         class process { setpgid transition };
> >         class system module_request;
> >         class tcp_socket name_connect;
> >         class dir { read search open getattr };
> >         class file { open read getattr };
> > }
> > 
> > allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> > allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> > allow httpd_t mysqld_port_t:tcp_socket name_connect;
> > allow httpd_sys_script_t self:process setpgid;
> > allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> > allow httpd_sys_script_t kernel_t:system module_request;
> > 
> > #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> > op=security_bounded_transition seresult=denied
> > oldcontext=system_u:system_r:httpd_t:s0
> > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> > allow httpd_t httpd_sys_script_t:process transition;
> > 
> > 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 7071 bytes --]

On Mon, May 22, 2017 at 08:23:50PM +0200, Dominick Grift wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > > related
> > > to Apache httpd that I just can't figure out.  I have always been
> > > able
> > > to tune policy or alter a boolean, this one has me stumped!
> > > 
> > > What I am trying to do: I am trying to deploy a simple, 3 line CGI
> > > script in /var/www/cgi-bin/.  Runs fine with enforcement disabled
> > > (see
> > > output below).  My custom policy for Apache (see below) comes from my
> > > EL6 environment.
> > > 
> > > The normal setroubleshooting tools don't help, as there is only a
> > > single
> > > line in audit.log (of type=SELINUX_ERR)
> > > 
> > > This is not happening on latest RHEL 6.9 ...
> > > 
> > > Might be related to systemd?  I don't see any "NoNewPrivileges"
> > > directives inside /etc/systemd/ though ... weird!
> > 
> > Is the filesystem mounted nosuid?
> 
> If selinux also uses that message for that scenario then i find that confusing since the message, to me, implies that the issue can be find by adding a type bounds, but i don't think that would work for nosuid mounted slices

s/find/fixed

> > 
> > > 
> > > Many thanks for your help!
> > > -chris
> > > 
> > > 
> > > #####################################################################
> > > ###
> > > # With enforcement disabled ... all is good (as expected)
> > > #####################################################################
> > > ###
> > > 
> > > # ls -laZ /var/www/cgi-bin/
> > > drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
> > > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
> > > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> > > ok.cgi
> > > 
> > > # setenforce 0
> > > # systemctl restart httpd.service
> > > $ curl localhost/cgi-bin/ok.cgi
> > > OK
> > > 
> > > 
> > > #####################################################################
> > > ###
> > > # With enforcement enabled ... CGI script fails, all you find is a
> > > # single deny in /var/log/audit/audit.log
> > > #####################################################################
> > > ###
> > > 
> > > # setenforce 1
> > > # systemctl restart httpd.service
> > > 
> > > # getenforce
> > > Enforcing
> > > 
> > > $ curl localhost/cgi-bin/ok.cgi
> > > <html><head><title>500 Server Error</title></head><body><h1>Server
> > > Error</h1></body></html>
> > > 
> > > # tail /var/log/audit/audit.log | grep denied
> > > type=SELINUX_ERR msg=audit(1495468154.591:121695):
> > > op=security_bounded_transition seresult=denied
> > > oldcontext=system_u:system_r:httpd_t:s0
> > > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > > 
> > > 
> > > #####################################################################
> > > ###
> > > # System details ...
> > > #####################################################################
> > > ###
> > > 
> > > # uname -r
> > > 3.10.0-514.16.1.el7.x86_64
> > > 
> > > # cat /etc/redhat-release
> > > Red Hat Enterprise Linux Server release 7.3 (Maipo)
> > > 
> > > # sestatus
> > > SELinux status:                 enabled
> > > SELinuxfs mount:                /sys/fs/selinux
> > > SELinux root directory:         /etc/selinux
> > > Loaded policy name:             targeted
> > > Current mode:                   enforcing
> > > Mode from config file:          enforcing
> > > Policy MLS status:              enabled
> > > Policy deny_unknown status:     allowed
> > > Max kernel policy version:      28
> > > 
> > > # find /etc/ -type f | xargs grep NoNewPrivileges
> > > [NO OUTPUT]
> > > 
> > > # getsebool -a | grep httpd_
> > > httpd_anon_write --> on
> > > httpd_builtin_scripting --> on
> > > httpd_can_check_spam --> off
> > > httpd_can_connect_ftp --> off
> > > httpd_can_connect_ldap --> off
> > > httpd_can_connect_mythtv --> off
> > > httpd_can_connect_zabbix --> off
> > > httpd_can_network_connect --> on
> > > httpd_can_network_connect_cobbler --> off
> > > httpd_can_network_connect_db --> on
> > > httpd_can_network_memcache --> off
> > > httpd_can_network_relay --> off
> > > httpd_can_sendmail --> on
> > > httpd_dbus_avahi --> on
> > > httpd_dbus_sssd --> off
> > > httpd_dontaudit_search_dirs --> off
> > > httpd_enable_cgi --> on
> > > httpd_enable_ftp_server --> off
> > > httpd_enable_homedirs --> off
> > > httpd_execmem --> off
> > > httpd_graceful_shutdown --> on
> > > httpd_manage_ipa --> off
> > > httpd_mod_auth_ntlm_winbind --> off
> > > httpd_mod_auth_pam --> off
> > > httpd_read_user_content --> on
> > > httpd_run_ipa --> off
> > > httpd_run_preupgrade --> off
> > > httpd_run_stickshift --> off
> > > httpd_serve_cobbler_files --> off
> > > httpd_setrlimit --> off
> > > httpd_ssi_exec --> off
> > > httpd_sys_script_anon_write --> off
> > > httpd_tmp_exec --> off
> > > httpd_tty_comm --> on
> > > httpd_unified --> on
> > > httpd_use_cifs --> off
> > > httpd_use_fusefs --> off
> > > httpd_use_gpg --> off
> > > httpd_use_nfs --> off
> > > httpd_use_openstack --> off
> > > httpd_use_sasl --> off
> > > httpd_verify_dns --> off
> > > 
> > > 
> > > # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
> > > 
> > > # cat myapache.te
> > > module myapache 0.4;
> > > 
> > > require {
> > >         type httpd_t;
> > >         type httpd_sys_script_t;
> > >         type http_port_t;
> > >         type mysqld_port_t;
> > >         type rpm_var_cache_t;
> > >         type kernel_t;
> > >         class process { setpgid transition };
> > >         class system module_request;
> > >         class tcp_socket name_connect;
> > >         class dir { read search open getattr };
> > >         class file { open read getattr };
> > > }
> > > 
> > > allow httpd_t rpm_var_cache_t:dir { read search open getattr };
> > > allow httpd_t rpm_var_cache_t:file { read getattr open } ;
> > > allow httpd_t mysqld_port_t:tcp_socket name_connect;
> > > allow httpd_sys_script_t self:process setpgid;
> > > allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
> > > allow httpd_sys_script_t kernel_t:system module_request;
> > > 
> > > #type=SELINUX_ERR msg=audit(1495467001.822:84934):
> > > op=security_bounded_transition seresult=denied
> > > oldcontext=system_u:system_r:httpd_t:s0
> > > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > > # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
> > > allow httpd_t httpd_sys_script_t:process transition;
> > > 
> > > 
> 
> -- 
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift



-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Chris O'Neil]

On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gmail.com> wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
>> On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
>> > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
>> > related
>> > to Apache httpd that I just can't figure out.  I have always been
>> > able
>> > to tune policy or alter a boolean, this one has me stumped!
>> >
>> > What I am trying to do: I am trying to deploy a simple, 3 line CGI
>> > script in /var/www/cgi-bin/.  Runs fine with enforcement disabled
>> > (see
>> > output below).  My custom policy for Apache (see below) comes from my
>> > EL6 environment.
>> >
>> > The normal setroubleshooting tools don't help, as there is only a
>> > single
>> > line in audit.log (of type=SELINUX_ERR)
>> >
>> > This is not happening on latest RHEL 6.9 ...
>> >
>> > Might be related to systemd?  I don't see any "NoNewPrivileges"
>> > directives inside /etc/systemd/ though ... weird!
>>
>> Is the filesystem mounted nosuid?
>
> If selinux also uses that message for that scenario then i find that confusing since the message, to me, implies that the issue can be find by adding a type bounds, but i don't think that would work for nosuid mounted slices

Stephen ... /var/www/ was mounted with the "nosuid" option.  I forgot
about that ... if I remember correctly, when "nosuid" is set on a
mounted FS, SELinux trans will fail under this condition.  This bit me
before, years ago... and I forgot about it.

Everything is working as expected now.  If I want to mitigate some
risk, and still use "nosuid" for /var/www/ ....  I'll need to split
/var/www/cgi-bin away from /var/www/ ...

Thank you both for your time and help
-chris

>>
>> >
>> > Many thanks for your help!
>> > -chris
>> >
>> >
>> > #####################################################################
>> > ###
>> > # With enforcement disabled ... all is good (as expected)
>> > #####################################################################
>> > ###
>> >
>> > # ls -laZ /var/www/cgi-bin/
>> > drwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 .
>> > drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 ..
>> > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
>> > ok.cgi
>> >
>> > # setenforce 0
>> > # systemctl restart httpd.service
>> > $ curl localhost/cgi-bin/ok.cgi
>> > OK
>> >
>> >
>> > #####################################################################
>> > ###
>> > # With enforcement enabled ... CGI script fails, all you find is a
>> > # single deny in /var/log/audit/audit.log
>> > #####################################################################
>> > ###
>> >
>> > # setenforce 1
>> > # systemctl restart httpd.service
>> >
>> > # getenforce
>> > Enforcing
>> >
>> > $ curl localhost/cgi-bin/ok.cgi
>> > <html><head><title>500 Server Error</title></head><body><h1>Server
>> > Error</h1></body></html>
>> >
>> > # tail /var/log/audit/audit.log | grep denied
>> > type=SELINUX_ERR msg=audit(1495468154.591:121695):
>> > op=security_bounded_transition seresult=denied
>> > oldcontext=system_u:system_r:httpd_t:s0
>> > newcontext=system_u:system_r:httpd_sys_script_t:s0
>> >
>> >
>> > #####################################################################
>> > ###
>> > # System details ...
>> > #####################################################################
>> > ###
>> >
>> > # uname -r
>> > 3.10.0-514.16.1.el7.x86_64
>> >
>> > # cat /etc/redhat-release
>> > Red Hat Enterprise Linux Server release 7.3 (Maipo)
>> >
>> > # sestatus
>> > SELinux status:                 enabled
>> > SELinuxfs mount:                /sys/fs/selinux
>> > SELinux root directory:         /etc/selinux
>> > Loaded policy name:             targeted
>> > Current mode:                   enforcing
>> > Mode from config file:          enforcing
>> > Policy MLS status:              enabled
>> > Policy deny_unknown status:     allowed
>> > Max kernel policy version:      28
>> >
>> > # find /etc/ -type f | xargs grep NoNewPrivileges
>> > [NO OUTPUT]
>> >
>> > # getsebool -a | grep httpd_
>> > httpd_anon_write --> on
>> > httpd_builtin_scripting --> on
>> > httpd_can_check_spam --> off
>> > httpd_can_connect_ftp --> off
>> > httpd_can_connect_ldap --> off
>> > httpd_can_connect_mythtv --> off
>> > httpd_can_connect_zabbix --> off
>> > httpd_can_network_connect --> on
>> > httpd_can_network_connect_cobbler --> off
>> > httpd_can_network_connect_db --> on
>> > httpd_can_network_memcache --> off
>> > httpd_can_network_relay --> off
>> > httpd_can_sendmail --> on
>> > httpd_dbus_avahi --> on
>> > httpd_dbus_sssd --> off
>> > httpd_dontaudit_search_dirs --> off
>> > httpd_enable_cgi --> on
>> > httpd_enable_ftp_server --> off
>> > httpd_enable_homedirs --> off
>> > httpd_execmem --> off
>> > httpd_graceful_shutdown --> on
>> > httpd_manage_ipa --> off
>> > httpd_mod_auth_ntlm_winbind --> off
>> > httpd_mod_auth_pam --> off
>> > httpd_read_user_content --> on
>> > httpd_run_ipa --> off
>> > httpd_run_preupgrade --> off
>> > httpd_run_stickshift --> off
>> > httpd_serve_cobbler_files --> off
>> > httpd_setrlimit --> off
>> > httpd_ssi_exec --> off
>> > httpd_sys_script_anon_write --> off
>> > httpd_tmp_exec --> off
>> > httpd_tty_comm --> on
>> > httpd_unified --> on
>> > httpd_use_cifs --> off
>> > httpd_use_fusefs --> off
>> > httpd_use_gpg --> off
>> > httpd_use_nfs --> off
>> > httpd_use_openstack --> off
>> > httpd_use_sasl --> off
>> > httpd_verify_dns --> off
>> >
>> >
>> > # THIS IS MY GENERIC APACHE TE FILE FROM EL6 ...
>> >
>> > # cat myapache.te
>> > module myapache 0.4;
>> >
>> > require {
>> >         type httpd_t;
>> >         type httpd_sys_script_t;
>> >         type http_port_t;
>> >         type mysqld_port_t;
>> >         type rpm_var_cache_t;
>> >         type kernel_t;
>> >         class process { setpgid transition };
>> >         class system module_request;
>> >         class tcp_socket name_connect;
>> >         class dir { read search open getattr };
>> >         class file { open read getattr };
>> > }
>> >
>> > allow httpd_t rpm_var_cache_t:dir { read search open getattr };
>> > allow httpd_t rpm_var_cache_t:file { read getattr open } ;
>> > allow httpd_t mysqld_port_t:tcp_socket name_connect;
>> > allow httpd_sys_script_t self:process setpgid;
>> > allow httpd_sys_script_t http_port_t:tcp_socket name_connect;
>> > allow httpd_sys_script_t kernel_t:system module_request;
>> >
>> > #type=SELINUX_ERR msg=audit(1495467001.822:84934):
>> > op=security_bounded_transition seresult=denied
>> > oldcontext=system_u:system_r:httpd_t:s0
>> > newcontext=system_u:system_r:httpd_sys_script_t:s0
>> > # THIS STILL DOES NOT WORK! SYSTEMD ISSUE?
>> > allow httpd_t httpd_sys_script_t:process transition;
>> >
>> >
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Stephen Smalley]

On Mon, 2017-05-22 at 20:23 +0200, Dominick Grift wrote:
> On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > Hi, running latest RHEL 7.3 ... struggling with an SELinux issue
> > > related
> > > to Apache httpd that I just can't figure out.  I have always been
> > > able
> > > to tune policy or alter a boolean, this one has me stumped!
> > > 
> > > What I am trying to do: I am trying to deploy a simple, 3 line
> > > CGI
> > > script in /var/www/cgi-bin/.  Runs fine with enforcement disabled
> > > (see
> > > output below).  My custom policy for Apache (see below) comes
> > > from my
> > > EL6 environment.
> > > 
> > > The normal setroubleshooting tools don't help, as there is only a
> > > single
> > > line in audit.log (of type=SELINUX_ERR)
> > > 
> > > This is not happening on latest RHEL 6.9 ...
> > > 
> > > Might be related to systemd?  I don't see any "NoNewPrivileges"
> > > directives inside /etc/systemd/ though ... weird!
> > 
> > Is the filesystem mounted nosuid?
> 
> If selinux also uses that message for that scenario then i find that
> confusing since the message, to me, implies that the issue can be
> find by adding a type bounds, but i don't think that would work for
> nosuid mounted slices

NNP and nosuid are handled in the same way.  That said, I'm not sure I
follow the error here, since a default transition on exec should not
cause a failure in this case; we should just fall back to running in
the caller's domain (whether NNP or nosuid).  We only fail hard if the
caller explicitly requested a domain transition.

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Stephen Smalley]

On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gmail.
> com> wrote:
> > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux
> > > > issue
> > > > related
> > > > to Apache httpd that I just can't figure out.  I have always
> > > > been
> > > > able
> > > > to tune policy or alter a boolean, this one has me stumped!
> > > > 
> > > > What I am trying to do: I am trying to deploy a simple, 3 line
> > > > CGI
> > > > script in /var/www/cgi-bin/.  Runs fine with enforcement
> > > > disabled
> > > > (see
> > > > output below).  My custom policy for Apache (see below) comes
> > > > from my
> > > > EL6 environment.
> > > > 
> > > > The normal setroubleshooting tools don't help, as there is only
> > > > a
> > > > single
> > > > line in audit.log (of type=SELINUX_ERR)
> > > > 
> > > > This is not happening on latest RHEL 6.9 ...
> > > > 
> > > > Might be related to systemd?  I don't see any "NoNewPrivileges"
> > > > directives inside /etc/systemd/ though ... weird!
> > > 
> > > Is the filesystem mounted nosuid?
> > 
> > If selinux also uses that message for that scenario then i find
> > that confusing since the message, to me, implies that the issue can
> > be find by adding a type bounds, but i don't think that would work
> > for nosuid mounted slices
> 
> Stephen ... /var/www/ was mounted with the "nosuid" option.  I forgot
> about that ... if I remember correctly, when "nosuid" is set on a
> mounted FS, SELinux trans will fail under this condition.  This bit
> me
> before, years ago... and I forgot about it.

I'm still puzzled though, because the transition shouldn't fail
altogether; it should just fall back to staying in httpd_t instead of
httpd_sys_script_t.  You'd get the log message but then it would just
proceed under the old domain.

> Everything is working as expected now.  If I want to mitigate some
> risk, and still use "nosuid" for /var/www/ ....  I'll need to split
> /var/www/cgi-bin away from /var/www/ ...

The other alternative would be to use typebounds, but that likely
wouldn't be straightforward.

> 
> Thank you both for your time and help
> -chris

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Stephen Smalley]

On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gmai
> > l.
> > com> wrote:
> > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley wrote:
> > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux
> > > > > issue
> > > > > related
> > > > > to Apache httpd that I just can't figure out.  I have always
> > > > > been
> > > > > able
> > > > > to tune policy or alter a boolean, this one has me stumped!
> > > > > 
> > > > > What I am trying to do: I am trying to deploy a simple, 3
> > > > > line
> > > > > CGI
> > > > > script in /var/www/cgi-bin/.  Runs fine with enforcement
> > > > > disabled
> > > > > (see
> > > > > output below).  My custom policy for Apache (see below) comes
> > > > > from my
> > > > > EL6 environment.
> > > > > 
> > > > > The normal setroubleshooting tools don't help, as there is
> > > > > only
> > > > > a
> > > > > single
> > > > > line in audit.log (of type=SELINUX_ERR)
> > > > > 
> > > > > This is not happening on latest RHEL 6.9 ...
> > > > > 
> > > > > Might be related to systemd?  I don't see any
> > > > > "NoNewPrivileges"
> > > > > directives inside /etc/systemd/ though ... weird!
> > > > 
> > > > Is the filesystem mounted nosuid?
> > > 
> > > If selinux also uses that message for that scenario then i find
> > > that confusing since the message, to me, implies that the issue
> > > can
> > > be find by adding a type bounds, but i don't think that would
> > > work
> > > for nosuid mounted slices
> > 
> > Stephen ... /var/www/ was mounted with the "nosuid" option.  I
> > forgot
> > about that ... if I remember correctly, when "nosuid" is set on a
> > mounted FS, SELinux trans will fail under this condition.  This bit
> > me
> > before, years ago... and I forgot about it.
> 
> I'm still puzzled though, because the transition shouldn't fail
> altogether; it should just fall back to staying in httpd_t instead of
> httpd_sys_script_t.  You'd get the log message but then it would just
> proceed under the old domain.

For example, on Fedora:
$ cat /var/www/cgi-bin/foo.cgi
#!/bin/sh
echo "Content-type: text/plain"
echo ""
id -Z
exit 0
$ curl localhost/cgi-bin/foo.cgi
system_u:system_r:httpd_sys_script_t:s0
$ sudo mount --bind /var/www /var/www
$ mount -o remount,nosuid,bind /var/www /var/www
$ sudo service httpd restart
$ curl localhost/cgi-bin/foo.cgi
system_u:system_r:httpd_t:s0
$ sudo umount /var/www
$ sudo ausearch -m SELINUX_ERR,AVC -ts recent
time->Mon May 22 15:03:56 2017
type=PROCTITLE msg=audit(1495479836.876:5483):
proctitle=2F62696E2F7368002F7661722F7777772F6367692D62696E2F666F6F2E636
769
type=PATH msg=audit(1495479836.876:5483): item=2 name="/lib64/ld-linux-
x86-64.so.2" inode=2623178 dev=fd:01 mode=0100755 ouid=0 ogid=0
rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PATH msg=audit(1495479836.876:5483): item=1 name="/bin/sh"
inode=2646852 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1495479836.876:5483): item=0 name="/var/www/cgi-
bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0
rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0
nametype=NORMAL
type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin"
type=EXECVE msg=audit(1495479836.876:5483): argc=2 a0="/bin/sh"
a1="/var/www/cgi-bin/foo.cgi"
type=SYSCALL msg=audit(1495479836.876:5483): arch=c000003e syscall=59
success=yes exit=0 a0=560095ae07e8 a1=560095ae3d00 a2=560095ae3d18 a3=8
items=3 ppid=10885 pid=10925 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="foo.cgi" exe="/usr/bin/bash" subj=system_u:system_r:httpd_t:s0
key=(null)
type=SELINUX_ERR msg=audit(1495479836.876:5483):
op=security_bounded_transition seresult=denied
oldcontext=system_u:system_r:httpd_t:s0
newcontext=system_u:system_r:httpd_sys_script_t:s0

So I don't get a hard failure; it logs the error but just devolves to
staying in httpd_t.

Can you reproduce the above on your RHEL7.3 system?

> 
> > Everything is working as expected now.  If I want to mitigate some
> > risk, and still use "nosuid" for /var/www/ ....  I'll need to split
> > /var/www/cgi-bin away from /var/www/ ...
> 
> The other alternative would be to use typebounds, but that likely
> wouldn't be straightforward.
> 
> > 
> > Thank you both for your time and help
> > -chris

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Stephen Smalley]

On Mon, 2017-05-22 at 15:05 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@gm
> > > ai
> > > l.
> > > com> wrote:
> > > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley
> > > > wrote:
> > > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > > > Hi, running latest RHEL 7.3 ... struggling with an SELinux
> > > > > > issue
> > > > > > related
> > > > > > to Apache httpd that I just can't figure out.  I have
> > > > > > always
> > > > > > been
> > > > > > able
> > > > > > to tune policy or alter a boolean, this one has me stumped!
> > > > > > 
> > > > > > What I am trying to do: I am trying to deploy a simple, 3
> > > > > > line
> > > > > > CGI
> > > > > > script in /var/www/cgi-bin/.  Runs fine with enforcement
> > > > > > disabled
> > > > > > (see
> > > > > > output below).  My custom policy for Apache (see below)
> > > > > > comes
> > > > > > from my
> > > > > > EL6 environment.
> > > > > > 
> > > > > > The normal setroubleshooting tools don't help, as there is
> > > > > > only
> > > > > > a
> > > > > > single
> > > > > > line in audit.log (of type=SELINUX_ERR)
> > > > > > 
> > > > > > This is not happening on latest RHEL 6.9 ...
> > > > > > 
> > > > > > Might be related to systemd?  I don't see any
> > > > > > "NoNewPrivileges"
> > > > > > directives inside /etc/systemd/ though ... weird!
> > > > > 
> > > > > Is the filesystem mounted nosuid?
> > > > 
> > > > If selinux also uses that message for that scenario then i find
> > > > that confusing since the message, to me, implies that the issue
> > > > can
> > > > be find by adding a type bounds, but i don't think that would
> > > > work
> > > > for nosuid mounted slices
> > > 
> > > Stephen ... /var/www/ was mounted with the "nosuid" option.  I
> > > forgot
> > > about that ... if I remember correctly, when "nosuid" is set on a
> > > mounted FS, SELinux trans will fail under this condition.  This
> > > bit
> > > me
> > > before, years ago... and I forgot about it.
> > 
> > I'm still puzzled though, because the transition shouldn't fail
> > altogether; it should just fall back to staying in httpd_t instead
> > of
> > httpd_sys_script_t.  You'd get the log message but then it would
> > just
> > proceed under the old domain.
> 
> For example, on Fedora:
> $ cat /var/www/cgi-bin/foo.cgi
> #!/bin/sh
> echo "Content-type: text/plain"
> echo ""
> id -Z
> exit 0
> $ curl localhost/cgi-bin/foo.cgi
> system_u:system_r:httpd_sys_script_t:s0
> $ sudo mount --bind /var/www /var/www
> $ mount -o remount,nosuid,bind /var/www /var/www
> $ sudo service httpd restart
> $ curl localhost/cgi-bin/foo.cgi
> system_u:system_r:httpd_t:s0
> $ sudo umount /var/www
> $ sudo ausearch -m SELINUX_ERR,AVC -ts recent
> time->Mon May 22 15:03:56 2017
> type=PROCTITLE msg=audit(1495479836.876:5483):
> proctitle=2F62696E2F7368002F7661722F7777772F6367692D62696E2F666F6F2E6
> 36
> 769
> type=PATH msg=audit(1495479836.876:5483): item=2 name="/lib64/ld-
> linux-
> x86-64.so.2" inode=2623178 dev=fd:01 mode=0100755 ouid=0 ogid=0
> rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
> type=PATH msg=audit(1495479836.876:5483): item=1 name="/bin/sh"
> inode=2646852 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
> type=PATH msg=audit(1495479836.876:5483): item=0 name="/var/www/cgi-
> bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0
> rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0
> nametype=NORMAL
> type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin"
> type=EXECVE msg=audit(1495479836.876:5483): argc=2 a0="/bin/sh"
> a1="/var/www/cgi-bin/foo.cgi"
> type=SYSCALL msg=audit(1495479836.876:5483): arch=c000003e syscall=59
> success=yes exit=0 a0=560095ae07e8 a1=560095ae3d00 a2=560095ae3d18
> a3=8
> items=3 ppid=10885 pid=10925 auid=4294967295 uid=48 gid=48 euid=48
> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="foo.cgi" exe="/usr/bin/bash" subj=system_u:system_r:httpd_t:s0
> key=(null)
> type=SELINUX_ERR msg=audit(1495479836.876:5483):
> op=security_bounded_transition seresult=denied
> oldcontext=system_u:system_r:httpd_t:s0
> newcontext=system_u:system_r:httpd_sys_script_t:s0
> 
> So I don't get a hard failure; it logs the error but just devolves to
> staying in httpd_t.
> 
> Can you reproduce the above on your RHEL7.3 system?

Oh, I see - it will fail on the execute_no_trans permission check,
since policy doesn't allow httpd_t to execute httpd_sys_script_exec_t
without changing domains.  So that's correct behavior.  But you should
have had an AVC message on that.

Now I have to figure out why Fedora didn't deny it...

> 
> > 
> > > Everything is working as expected now.  If I want to mitigate
> > > some
> > > risk, and still use "nosuid" for /var/www/ ....  I'll need to
> > > split
> > > /var/www/cgi-bin away from /var/www/ ...
> > 
> > The other alternative would be to use typebounds, but that likely
> > wouldn't be straightforward.
> > 
> > > 
> > > Thank you both for your time and help
> > > -chris

Re: RHEL 7.3 : httpd : type=SELINUX_ERR op=security_bounded_transition seresult=denied

[Stephen Smalley]

On Mon, 2017-05-22 at 15:30 -0400, Stephen Smalley wrote:
> On Mon, 2017-05-22 at 15:05 -0400, Stephen Smalley wrote:
> > On Mon, 2017-05-22 at 14:45 -0400, Stephen Smalley wrote:
> > > On Mon, 2017-05-22 at 11:32 -0700, Chris O'Neil wrote:
> > > > On Mon, May 22, 2017 at 11:23 AM, Dominick Grift <dac.override@
> > > > gm
> > > > ai
> > > > l.
> > > > com> wrote:
> > > > > On Mon, May 22, 2017 at 02:18:29PM -0400, Stephen Smalley
> > > > > wrote:
> > > > > > On Mon, 2017-05-22 at 09:29 -0700, Chris O'Neil wrote:
> > > > > > > Hi, running latest RHEL 7.3 ... struggling with an
> > > > > > > SELinux
> > > > > > > issue
> > > > > > > related
> > > > > > > to Apache httpd that I just can't figure out.  I have
> > > > > > > always
> > > > > > > been
> > > > > > > able
> > > > > > > to tune policy or alter a boolean, this one has me
> > > > > > > stumped!
> > > > > > > 
> > > > > > > What I am trying to do: I am trying to deploy a simple, 3
> > > > > > > line
> > > > > > > CGI
> > > > > > > script in /var/www/cgi-bin/.  Runs fine with enforcement
> > > > > > > disabled
> > > > > > > (see
> > > > > > > output below).  My custom policy for Apache (see below)
> > > > > > > comes
> > > > > > > from my
> > > > > > > EL6 environment.
> > > > > > > 
> > > > > > > The normal setroubleshooting tools don't help, as there
> > > > > > > is
> > > > > > > only
> > > > > > > a
> > > > > > > single
> > > > > > > line in audit.log (of type=SELINUX_ERR)
> > > > > > > 
> > > > > > > This is not happening on latest RHEL 6.9 ...
> > > > > > > 
> > > > > > > Might be related to systemd?  I don't see any
> > > > > > > "NoNewPrivileges"
> > > > > > > directives inside /etc/systemd/ though ... weird!
> > > > > > 
> > > > > > Is the filesystem mounted nosuid?
> > > > > 
> > > > > If selinux also uses that message for that scenario then i
> > > > > find
> > > > > that confusing since the message, to me, implies that the
> > > > > issue
> > > > > can
> > > > > be find by adding a type bounds, but i don't think that would
> > > > > work
> > > > > for nosuid mounted slices
> > > > 
> > > > Stephen ... /var/www/ was mounted with the "nosuid" option.  I
> > > > forgot
> > > > about that ... if I remember correctly, when "nosuid" is set on
> > > > a
> > > > mounted FS, SELinux trans will fail under this condition.  This
> > > > bit
> > > > me
> > > > before, years ago... and I forgot about it.
> > > 
> > > I'm still puzzled though, because the transition shouldn't fail
> > > altogether; it should just fall back to staying in httpd_t
> > > instead
> > > of
> > > httpd_sys_script_t.  You'd get the log message but then it would
> > > just
> > > proceed under the old domain.
> > 
> > For example, on Fedora:
> > $ cat /var/www/cgi-bin/foo.cgi
> > #!/bin/sh
> > echo "Content-type: text/plain"
> > echo ""
> > id -Z
> > exit 0
> > $ curl localhost/cgi-bin/foo.cgi
> > system_u:system_r:httpd_sys_script_t:s0
> > $ sudo mount --bind /var/www /var/www
> > $ mount -o remount,nosuid,bind /var/www /var/www
> > $ sudo service httpd restart
> > $ curl localhost/cgi-bin/foo.cgi
> > system_u:system_r:httpd_t:s0
> > $ sudo umount /var/www
> > $ sudo ausearch -m SELINUX_ERR,AVC -ts recent
> > time->Mon May 22 15:03:56 2017
> > type=PROCTITLE msg=audit(1495479836.876:5483):
> > proctitle=2F62696E2F7368002F7661722F7777772F6367692D62696E2F666F6F2
> > E6
> > 36
> > 769
> > type=PATH msg=audit(1495479836.876:5483): item=2 name="/lib64/ld-
> > linux-
> > x86-64.so.2" inode=2623178 dev=fd:01 mode=0100755 ouid=0 ogid=0
> > rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
> > type=PATH msg=audit(1495479836.876:5483): item=1 name="/bin/sh"
> > inode=2646852 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL
> > type=PATH msg=audit(1495479836.876:5483): item=0
> > name="/var/www/cgi-
> > bin/foo.cgi" inode=538621 dev=fd:01 mode=0100755 ouid=0 ogid=0
> > rdev=00:00 obj=unconfined_u:object_r:httpd_sys_script_exec_t:s0
> > nametype=NORMAL
> > type=CWD msg=audit(1495479836.876:5483): cwd="/var/www/cgi-bin"
> > type=EXECVE msg=audit(1495479836.876:5483): argc=2 a0="/bin/sh"
> > a1="/var/www/cgi-bin/foo.cgi"
> > type=SYSCALL msg=audit(1495479836.876:5483): arch=c000003e
> > syscall=59
> > success=yes exit=0 a0=560095ae07e8 a1=560095ae3d00 a2=560095ae3d18
> > a3=8
> > items=3 ppid=10885 pid=10925 auid=4294967295 uid=48 gid=48 euid=48
> > suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> > comm="foo.cgi" exe="/usr/bin/bash"
> > subj=system_u:system_r:httpd_t:s0
> > key=(null)
> > type=SELINUX_ERR msg=audit(1495479836.876:5483):
> > op=security_bounded_transition seresult=denied
> > oldcontext=system_u:system_r:httpd_t:s0
> > newcontext=system_u:system_r:httpd_sys_script_t:s0
> > 
> > So I don't get a hard failure; it logs the error but just devolves
> > to
> > staying in httpd_t.
> > 
> > Can you reproduce the above on your RHEL7.3 system?
> 
> Oh, I see - it will fail on the execute_no_trans permission check,
> since policy doesn't allow httpd_t to execute httpd_sys_script_exec_t
> without changing domains.  So that's correct behavior.  But you
> should
> have had an AVC message on that.

Sigh...it seems to be dontaudit'd in Fedora policy.  semodule -DB would
have shown it.

> 
> Now I have to figure out why Fedora didn't deny it...

Seems to have been cruft in the test environment; now working as
expected.

> 
> > 
> > > 
> > > > Everything is working as expected now.  If I want to mitigate
> > > > some
> > > > risk, and still use "nosuid" for /var/www/ ....  I'll need to
> > > > split
> > > > /var/www/cgi-bin away from /var/www/ ...
> > > 
> > > The other alternative would be to use typebounds, but that likely
> > > wouldn't be straightforward.
> > > 
> > > > 
> > > > Thank you both for your time and help
> > > > -chris