Discussion:
SELinux is preventing httpd from create access
Mahmood Naderan
2018-11-08 09:02:47 UTC
Permalink
Hi,
Whenever I upload a file via my web browser to my web sever, I see the following lines in /var/log/messages

Nov 8 12:18:24 sn setroubleshoot: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx. For complete SELinux messages run: sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d
Nov 8 12:18:24 sn python: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012


While the format is ugly, I run sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d and see

SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:user_home_t:s0
Target Objects temp_5be3f85348052_5be3f85347985.docx [ file ]
Source httpd
Source Path httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name sn.somewhere.com
Platform Linux sn.somewhere.com 3.10.0-862.11.6.el7.x86_64 #1
SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2018-11-08 12:16:06 +0330
Last Seen 2018-11-08 12:18:19 +0330
Local ID 335e7781-6a68-4ca6-827f-073f93829f2d

Raw Audit Messages
type=AVC msg=audit(1541666899.294:27636): avc: denied { create } for pid=25734 comm="httpd" name="temp_5be3f85348052_5be3f85347985.docx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0 ppid=13555 pid=25734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,user_home_t,file,create

 I do run two commands and everything sounds normal:

# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-httpd.pp

# semodule -i my-httpd.pp
#


 However, once again and after uploading the file, I see those messages in the log again and again.

How to fix that?




Regards,
Mahmood
Thomas Mueller
2018-11-08 09:21:58 UTC
Permalink
Post by Mahmood Naderan
Hi,
Whenever I upload a file via my web browser to my web sever, I see the
following lines in |/var/log/messages|
|...|
Post by Mahmood Naderan
||
denied { create } for pid=25734 comm="httpd"
name="temp_5be3f85348052_5be3f85347985.docx"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=file type=SYSCALL
msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no
exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0
ppid=13555 pid=25734 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd
exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) |
|...|
Post by Mahmood Naderan
|# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
******************** IMPORTANT *********************** To make this
policy package active, execute: semodule -i my-httpd.pp # semodule -i
my-httpd.pp # |
I don't think autid2allow  produces a good solution for this problem.

what is the full path to the file apache fails to write?



- Thomas
Mahmood Naderan
2018-11-08 09:30:52 UTC
Permalink
It is


/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment/temp_5be3f85348052_5be3f85347985.docx



I also get this message while uploading a plugin file (zip file)

SELinux is preventing /usr/sbin/httpd from setattr access on the file /var/www/html/ow_pluginfiles/base/lang_3.php.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label.
/var/www/html/ow_pluginfiles/base/lang_3.php default label should be httpd_sys_content_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/www/html/ow_pluginfiles/base/lang_3.php

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that httpd should be allowed setattr access on the lang_3.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /var/www/html/ow_pluginfiles/base/lang_3.php [
                              file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     sn.scu.ac.ir
Platform                      Linux sn.scu.ac.ir 3.10.0-862.11.6.el7.x86_64 #1
                              SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count                   4
First Seen                    2018-11-08 12:47:44 +0330
Last Seen                     2018-11-08 12:47:45 +0330
Local ID                      3abcf430-043b-4d78-ba62-91c14416a2d5

Raw Audit Messages
type=AVC msg=audit(1541668665.173:28113): avc:  denied  { setattr } for  pid=24134 comm="httpd" name="lang_3.php" dev="dm-0" ino=2316067 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1541668665.173:28113): arch=x86_64 syscall=chmod success=no exit=EACCES a0=7f1040ea3478 a1=1b6 a2=7f10599c8300 a3=7f105999a550 items=0 ppid=13555 pid=24134 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,user_home_t,file,setattr







Problem occurred after an unexpected shutdown of the server!


Regards,
Mahmood






On Thursday, November 8, 2018, 12:53:42 PM GMT+3:30, Thomas Mueller <***@chaschperli.ch> wrote:
I don't think autid2allow  produces a good solution for this problem.

what is the full path to the file apache fails to write?



- Thomas
Thomas Mueller
2018-11-08 09:38:21 UTC
Permalink
Post by Mahmood Naderan
It is
/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment/temp_5be3f85348052_5be3f85347985.docx
I suspect someone copied moved files from $HOME to /var/www/html/*
because user_home_t is no label for /var/www/html

I would propose you to:

# remove your custom module
semodule -u my-httpd

# add a local fcontext to the directory that httpd needs read-write access
semanage fcontext \
  --add \
  --type httpd_sys_rw_content_t
  '/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'

# reset all labels to default
restorecon -rv /var/www

- Thomas
Post by Mahmood Naderan
I also get this message while uploading a plugin file (zip file)
SELinux is preventing /usr/sbin/httpd from setattr access on the file
/var/www/html/ow_pluginfiles/base/lang_3.php.
*****  Plugin restorecon (99.5 confidence) suggests
************************
If you want to fix the label.
/var/www/html/ow_pluginfiles/base/lang_3.php default label should be httpd_sys_content_t.
Then you can run restorecon. The access attempt may have been stopped
due to insufficient permissions to access a parent directory in which
case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/www/html/ow_pluginfiles/base/lang_3.php
*****  Plugin catchall (1.49 confidence) suggests
**************************
If you believe that httpd should be allowed setattr access on the
lang_3.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp
Source Context                system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /var/www/html/ow_pluginfiles/base/lang_3.php [
                              file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     sn.scu.ac.ir
Platform                      Linux sn.scu.ac.ir
3.10.0-862.11.6.el7.x86_64 #1
                              SMP Tue Aug 14 21:49:04 UTC 2018 x86_64
x86_64
Alert Count                   4
First Seen                    2018-11-08 12:47:44 +0330
Last Seen                     2018-11-08 12:47:45 +0330
Local ID 3abcf430-043b-4d78-ba62-91c14416a2d5
Raw Audit Messages
type=AVC msg=audit(1541668665.173:28113): avc:  denied  { setattr }
for  pid=24134 comm="httpd" name="lang_3.php" dev="dm-0" ino=2316067
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1541668665.173:28113): arch=x86_64
syscall=chmod success=no exit=EACCES a0=7f1040ea3478 a1=1b6
a2=7f10599c8300 a3=7f105999a550 items=0 ppid=13555 pid=24134
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd
subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,user_home_t,file,setattr
Problem occurred after an unexpected shutdown of the server!
Regards,
Mahmood
Mahmood Naderan
2018-11-08 09:51:04 UTC
Permalink
Sorry Thomas, I made a mistake while pasting the path. The correct path is

[***@sn html]# find . -name
./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx
[***@sn html]# 



Do you still say that it is better to remove my-httpd?

Thing that I want to know is that, why selinux prevents that creation? Selinux suggests some commands to fix that. While the suggestion has no effect, it doesn't say about the root of the problem.
The list of attributes regarding httpd are
# semanage boolean -l | grep httpd
httpd_can_network_relay (off , off) Allow httpd to can network relay
httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv
httpd_can_network_connect_db (off , off) Allow httpd to can network connect db
httpd_use_gpg (off , off) Allow httpd to use gpg
httpd_dbus_sssd (off , off) Allow httpd to dbus sssd
httpd_enable_cgi (on , on) Allow httpd to enable cgi
httpd_verify_dns (off , off) Allow httpd to verify dns
httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs
httpd_use_cifs (off , off) Allow httpd to use cifs
httpd_manage_ipa (off , off) Allow httpd to manage ipa
httpd_run_stickshift (off , off) Allow httpd to run stickshift
httpd_enable_homedirs (off , off) Allow httpd to enable homedirs
httpd_dbus_avahi (off , off) Allow httpd to dbus avahi
httpd_unified (on , on) Allow httpd to unified
httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam
httpd_can_network_connect (on , on) Allow httpd to can network connect
httpd_execmem (off , off) Allow httpd to execmem
httpd_use_fusefs (off , off) Allow httpd to use fusefs
httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind
httpd_use_sasl (off , off) Allow httpd to use sasl
httpd_tty_comm (off , off) Allow httpd to tty comm
httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write
httpd_graceful_shutdown (on , on) Allow httpd to graceful shutdown
httpd_can_connect_ftp (on , on) Allow httpd to can connect ftp
httpd_run_ipa (off , off) Allow httpd to run ipa
httpd_read_user_content (on , on) Allow httpd to read user content
httpd_use_nfs (off , off) Allow httpd to use nfs
httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix
httpd_tmp_exec (off , off) Allow httpd to tmp exec
httpd_run_preupgrade (off , off) Allow httpd to run preupgrade
httpd_can_sendmail (on , on) Allow httpd to can sendmail
httpd_builtin_scripting (on , on) Allow httpd to builtin scripting
httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap
httpd_can_check_spam (off , off) Allow httpd to can check spam
httpd_can_network_memcache (off , off) Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler
httpd_anon_write (off , off) Allow httpd to anon write
httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files
httpd_ssi_exec (off , off) Allow httpd to ssi exec
httpd_use_openstack (off , off) Allow httpd to use openstack
httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server
httpd_setrlimit (off , off) Allow httpd to setrlimit





Regards,
Mahmood



On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30, Thomas Mueller <***@chaschperli.ch> wrote:
I suspect someone copied moved files from $HOME to /var/www/html/* because user_home_t is no label for /var/www/html

I would propose you to:

# remove your custom module
semodule -u my-httpd

# add a local fcontext to the directory that httpd needs read-write access
semanage fcontext \
  --add \
  --type httpd_sys_rw_content_t
  '/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'

# reset all labels to default
restorecon -rv /var/www

- Thomas
Thomas Mueller
2018-11-08 10:06:01 UTC
Permalink
Post by Mahmood Naderan
Sorry Thomas, I made a mistake while pasting the path. The correct path is
./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx
Don't understand what you want to say.

./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx

is a relative path. not an absolute path.
Post by Mahmood Naderan
Do you still say that it is better to remove my-httpd?
yes. but based on your absolute path to the directory where your httpd
needs write access selinux fcontext --add requires an adjusted regex.
Post by Mahmood Naderan
Thing that I want to know is that, why selinux prevents that creation?
Selinux suggests some commands to fix that. While the suggestion has
no effect, it doesn't say about the root of the problem.
because selinux is about preventing things that are not allowed. Httpd
is normally exposed to the network and a good target for hackers. So the
default policy gives the httpd the least privileges that are possible.

audit2allow only works for easy problems. Your problem is that someone
moved files form $HOME to /var/www . Move also moves SELinux filesystem
labels. Now you've got files with wrong labels in /var/www. This is no
easy problem to solve for a computer tool.
Post by Mahmood Naderan
The list of attributes regarding httpd are
|# semanage boolean -l | grep httpd|
booleans are not filesystems labels/types. What do you wanted to show
with the list?
Post by Mahmood Naderan
On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30, Thomas Mueller
I suspect someone copied moved files from $HOME to /var/www/html/*
because user_home_t is no label for /var/www/html
# remove your custom module
semodule -u my-httpd
# add a local fcontext to the directory that httpd needs read-write access
semanage fcontext \
  --add \
  --type httpd_sys_rw_content_t
  '/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'
# reset all labels to default
restorecon -rv /var/www
- Thomas
Mahmood Naderan
2018-11-08 11:41:09 UTC
Permalink
Post by Thomas Mueller
# remove your custom module
semodule -u my-httpd
[***@sn html]# semodule -u my-httpd
The --upgrade option is deprecated. Use --install instead.
libsemanage.map_file: Unable to open my-httpd
 (No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-httpd
 (No such file or directory).
semodule:  Failed on my-httpd!






Regards,
Mahmood
Thomas Mueller
2018-11-08 11:46:07 UTC
Permalink
Post by Mahmood Naderan
Post by Thomas Mueller
# remove your custom module
semodule -u my-httpd
The --upgrade option is deprecated. Use --install instead.
libsemanage.map_file: Unable to open my-httpd
 (No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-httpd
 (No such file or directory).
semodule:  Failed on my-httpd!
sorry, my fault. not -u, its -r (--remove)


# semodule --help
usage:  semodule [option]... MODE...
Manage SELinux policy modules.
MODES:
  -R, --reload            reload policy
  -B, --build            build and reload policy
  -D,--disable_dontaudit    Remove dontaudits from policy
  -i,--install=MODULE_PKG   install a new module
*  -r,--remove=MODULE_NAME   remove existing module at desired priority*
  -l[KIND],--list-modules[=KIND]  display list of installed modules
     KIND:  standard  list highest priority, enabled modules
            full      list all modules
  -X,--priority=PRIORITY    set priority for following operations (1-999)
  -e,--enable=MODULE_NAME   enable module
  -d,--disable=MODULE_NAME  disable module
  -E,--extract=MODULE_NAME  extract module
Options:
  -s,--store       name of the store to operate on
  -N,-n,--noreload do not reload policy after commit
  -h,--help        print this message and quit
  -v,--verbose     be verbose
  -P,--preserve_tunables    Preserve tunables in policy
  -C,--ignore-module-cache    Rebuild CIL modules compiled from HLL files
  -p,--path        use an alternate path for the policy root
  -S,--store-path  use an alternate path for the policy store root
  -c, --cil extract module as cil. This only affects module extraction.
  -H, --hll extract module as hll. This only affects module extraction.
Post by Mahmood Naderan
Regards,
Mahmood
_______________________________________________
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Loading...