Lars Poulsen
15 years ago
I am trying to get my Fedora 12 systems to run cleanly with SELinux
enabled. Previously I had just been running in permissive mode and
mostly ignoring the alerts, but my ambition level has gone up!
After a few days of following up on every alert I saw by tweaking
booleans and file context types appropriately, I am pleased with how
few violations are being reported, but I am now getting to some that
I cannot figure out, such as the one below.
It originates in a CGI script written in PERL. In my installations,
the base of the website data is in /home/httpd rather than in
/var/www; this choice is because I try to keep permanent data that
should be kept across OS version updates out of the root filesystem,
and the website is too small to merit a filesystem of its own. It
does mean that I need to tweek a bunch of labels, such as
* setsebool -P httpd_read_user_content 1
* setsebool -P httpd_enable_home_dirs 1
* setsebool -P httpd_read_user_content 1
* setsebool -P samba_enable_home_dirs 1
* setsebool -P use_samba_home_dirs 1
* setsebool -P samba_export_all_rw 1
*
* chcon -R -t httpd_user_content_t /var/log/phone
* chcon -R -t httpd_user_content_t /home/httpd/twiki/data
* chcon -R -t httpd_sys_script_exec_t /home/httpd/twiki/bin
* chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
* chcon -t httpd_sys_content_t /home/httpd
* chcon -R -t httpd_sys_content_t /home/httpd/html
* chcon -R -t httpd_user_content_t /home/sales/serial
* chcon -R -t htppd_user_content_t /home/sales/leads
But the one that baffles me the most is this one, which comes up when
I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
I *think* the "search" access is triggered when the script is launched.
SELinux says that / is labeled as user_home_dir_t, but this is not
true; ls -Zd confirms that it is indeed labeled as root_t. And even
if it were labeled user_homme_dir_t, should the boolean
httpd_enable_home_dirs not make it allright ?
Any insights would be appreciated.
Lars Poulsen
Afar Communications
-------------------------------------------------------------------------------------------------------------------------
Summary:
SELinux is preventing /usr/bin/perl "search" access to /.
Detailed Description:
[SELinux is in permissive mode. This access was not denied.]
SELinux denied access requested by serial.cgi. / may be a mislabeled. / default
SELinux type is root_t, but its current type is user_home_dir_t. Changing this
file back to the default type, may fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A
which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the
dhclient_t type
and creating a file in the directory /etc. This file would
normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/', if this file is a directory, you can
recursively restore using restorecon -R '/'.
Fix Command:
/sbin/restorecon '/'
Additional Information:
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects / [ dir ]
Source serial.cgi
Source Path /usr/bin/perl
Port <Unknown>
Host shadow.afar.net
Source RPM Packages perl-5.10.0-87.fc12
Target RPM Packages filesystem-2.4.30-2.fc12
Policy RPM selinux-policy-3.6.32-113.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name restorecon
Host Name shadow.afar.net
Platform Linux shadow.afar.net 2.6.32.11-99.fc12.i686.PAE
#1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
Alert Count 6
First Seen Tue 04 May 2010 10:27:30 AM PDT
Last Seen Tue 04 May 2010 11:15:28 AM PDT
Local ID 6cee89bd-3559-4483-9802-fa2dc320bd26
Line Numbers
Raw Audit Messages
node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
avc: denied { search } for pid=15632 comm="serial.cgi" name="/"
dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
enabled. Previously I had just been running in permissive mode and
mostly ignoring the alerts, but my ambition level has gone up!
After a few days of following up on every alert I saw by tweaking
booleans and file context types appropriately, I am pleased with how
few violations are being reported, but I am now getting to some that
I cannot figure out, such as the one below.
It originates in a CGI script written in PERL. In my installations,
the base of the website data is in /home/httpd rather than in
/var/www; this choice is because I try to keep permanent data that
should be kept across OS version updates out of the root filesystem,
and the website is too small to merit a filesystem of its own. It
does mean that I need to tweek a bunch of labels, such as
* setsebool -P httpd_read_user_content 1
* setsebool -P httpd_enable_home_dirs 1
* setsebool -P httpd_read_user_content 1
* setsebool -P samba_enable_home_dirs 1
* setsebool -P use_samba_home_dirs 1
* setsebool -P samba_export_all_rw 1
*
* chcon -R -t httpd_user_content_t /var/log/phone
* chcon -R -t httpd_user_content_t /home/httpd/twiki/data
* chcon -R -t httpd_sys_script_exec_t /home/httpd/twiki/bin
* chcon -R -t httpd_sys_script_exec_t /home/httpd/cgi-bin
* chcon -t httpd_sys_content_t /home/httpd
* chcon -R -t httpd_sys_content_t /home/httpd/html
* chcon -R -t httpd_user_content_t /home/sales/serial
* chcon -R -t htppd_user_content_t /home/sales/leads
But the one that baffles me the most is this one, which comes up when
I trigger the CGI script /home/httpd/cgi-bin/serial.cgi (written in PERL).
I *think* the "search" access is triggered when the script is launched.
SELinux says that / is labeled as user_home_dir_t, but this is not
true; ls -Zd confirms that it is indeed labeled as root_t. And even
if it were labeled user_homme_dir_t, should the boolean
httpd_enable_home_dirs not make it allright ?
Any insights would be appreciated.
Lars Poulsen
Afar Communications
-------------------------------------------------------------------------------------------------------------------------
Summary:
SELinux is preventing /usr/bin/perl "search" access to /.
Detailed Description:
[SELinux is in permissive mode. This access was not denied.]
SELinux denied access requested by serial.cgi. / may be a mislabeled. / default
SELinux type is root_t, but its current type is user_home_dir_t. Changing this
file back to the default type, may fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A
which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the
dhclient_t type
and creating a file in the directory /etc. This file would
normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/', if this file is a directory, you can
recursively restore using restorecon -R '/'.
Fix Command:
/sbin/restorecon '/'
Additional Information:
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects / [ dir ]
Source serial.cgi
Source Path /usr/bin/perl
Port <Unknown>
Host shadow.afar.net
Source RPM Packages perl-5.10.0-87.fc12
Target RPM Packages filesystem-2.4.30-2.fc12
Policy RPM selinux-policy-3.6.32-113.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Plugin Name restorecon
Host Name shadow.afar.net
Platform Linux shadow.afar.net 2.6.32.11-99.fc12.i686.PAE
#1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686
Alert Count 6
First Seen Tue 04 May 2010 10:27:30 AM PDT
Last Seen Tue 04 May 2010 11:15:28 AM PDT
Local ID 6cee89bd-3559-4483-9802-fa2dc320bd26
Line Numbers
Raw Audit Messages
node=shadow.afar.net type=AVC msg=audit(1272996928.152:22292):
avc: denied { search } for pid=15632 comm="serial.cgi" name="/"
dev=dm-7 ino=2 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
node=shadow.afar.net type=SYSCALL msg=audit(1272996928.152:22292):
arch=40000003 syscall=5 success=yes exit=3 a0=8b6767c a1=8000 a2=0
a3=0 items=0 ppid=31549 pid=15632 auid=4294967295 uid=48 gid=489
euid=48 suid=48 fsuid=48 egid=489 sgid=489 fsgid=489 tty=(none)
ses=4294967295 comm="serial.cgi" exe="/usr/bin/perl"
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)