[CentOS] SELinux blocking cgi script from writing to socket (httpd_t)

2012-01-11 Thread Bennett Haselton
Is this really supposed to get easier over time? :)  Now my audit.log 
file shows that SELinux is blocking my cgi script, index.cgi (which is 
what's actually served when the user visits the front page of one of our 
proxy sites like sugarsurfer.com) from having 'read write to socket 
(httpd_t)'.  I have no idea what that means, except that I thought that 
cgi scripts were supposed to be able to write to stdout so that the web 
server could send the data via a socket connection to the end user's 
browser, so I don't know why a CGI script would be blocked from writing 
to a socket with security context httpd_t.

The only clue that might narrow it down is the line Target 
Objectssocket [ udp_socket ].  The sockets that the cgi 
scripts usually send output to are of course tcp sockets, so why would 
it say udp?  The only time one of my cgi scripts might use udp would be 
if it were doing a hostname lookup via dns, but the index.cgi script 
doesn't do that at any point.

What would the pros do at this point?

***

Summary:

SELinux is preventing index.cgi (httpd_sys_script_t) read write to socket
(httpd_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by index.cgi. It is not expected that this
access is required by index.cgi and this access may signal an intrusion 
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
disable
SELinux protection altogether. Disabling SELinux protection is not 
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Contextsystem_u:system_r:httpd_sys_script_t
Target Contextsystem_u:system_r:httpd_t
Target Objectssocket [ udp_socket ]
Sourceindex.cgi
Source Path Unknown
Port Unknown
Host Unknown
Source RPM Packages
Target RPM Packages
Policy RPMselinux-policy-2.4.6-316.el5
Selinux Enabled   True
Policy Type   targeted
MLS Enabled   True
Enforcing ModePermissive
Plugin Name   catchall
Host Name g6950-21025.securedservers.com
Platform  Linux g6950-21025.securedservers.com
   2.6.18-274.12.1.el5 #1 SMP Tue Nov 29 
13:37:46 EST
   2011 x86_64 x86_64
Alert Count   1
First SeenWed Jan 11 09:34:13 2012
Last Seen Wed Jan 11 09:34:13 2012
Local ID  2adcd43d-7b8b-4e17-bb93-ad11a35f378a
Line Numbers  1

Raw Audit Messages

type=AVC msg=audit(1326303253.473:3626): avc:  denied  { read write } 
for  pid=6668 comm=index.cgi path=socket:[415055] dev=sockfs 
ino=415055 scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_t:s0 tclass=udp_socket

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux blocking cgi script from writing to socket (httpd_t)

2012-01-11 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/11/2012 01:18 PM, Bennett Haselton wrote:
 Is this really supposed to get easier over time? :)  Now my
 audit.log file shows that SELinux is blocking my cgi script,
 index.cgi (which is what's actually served when the user visits the
 front page of one of our proxy sites like sugarsurfer.com) from
 having 'read write to socket (httpd_t)'.  I have no idea what
 that means, except that I thought that cgi scripts were supposed to
 be able to write to stdout so that the web server could send the
 data via a socket connection to the end user's browser, so I don't
 know why a CGI script would be blocked from writing to a socket
 with security context httpd_t.
 
 The only clue that might narrow it down is the line Target Objects
 socket [ udp_socket ].  The sockets that the cgi scripts usually
 send output to are of course tcp sockets, so why would it say udp?
 The only time one of my cgi scripts might use udp would be if it
 were doing a hostname lookup via dns, but the index.cgi script 
 doesn't do that at any point.
 
 What would the pros do at this point?
 
 ***
 
 Summary:
 
 SELinux is preventing index.cgi (httpd_sys_script_t) read write
 to socket (httpd_t).
 
 Detailed Description:
 
 [SELinux is in permissive mode, the operation would have been
 denied but was permitted due to permissive mode.]
 
 SELinux denied access requested by index.cgi. It is not expected
 that this access is required by index.cgi and this access may
 signal an intrusion attempt. It is also possible that the specific
 version or configuration of the application is causing it to
 require additional access.
 
 Allowing Access:
 
 You can generate a local policy module to allow this access - see
 FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or
 you can disable SELinux protection altogether. Disabling SELinux
 protection is not recommended. Please file a bug report
 (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
 package.
 
 Additional Information:
 
 Source Contextsystem_u:system_r:httpd_sys_script_t 
 Target Contextsystem_u:system_r:httpd_t Target
 Objectssocket [ udp_socket ] Source
 index.cgi Source Path Unknown Port Unknown Host Unknown 
 Source RPM Packages Target RPM Packages Policy RPM
 selinux-policy-2.4.6-316.el5 Selinux Enabled   True 
 Policy Type   targeted MLS Enabled
 True Enforcing ModePermissive Plugin Name
 catchall Host Name
 g6950-21025.securedservers.com Platform  Linux
 g6950-21025.securedservers.com 2.6.18-274.12.1.el5 #1 SMP Tue Nov
 29 13:37:46 EST 2011 x86_64 x86_64 Alert Count   1 
 First SeenWed Jan 11 09:34:13 2012 Last Seen
 Wed Jan 11 09:34:13 2012 Local ID
 2adcd43d-7b8b-4e17-bb93-ad11a35f378a Line Numbers
 1
 
 Raw Audit Messages
 
 type=AVC msg=audit(1326303253.473:3626): avc:  denied  { read write
 } for  pid=6668 comm=index.cgi path=socket:[415055] dev=sockfs
  ino=415055 scontext=system_u:system_r:httpd_sys_script_t:s0 
 tcontext=system_u:system_r:httpd_t:s0 tclass=udp_socket
 
 ___ CentOS mailing
 list CentOS@centos.org 
 http://lists.centos.org/mailman/listinfo/centos
Looks like a leaked file descriptor, you can probably add a dontaudit
rule.

In Fedora we currently dontaudit this leak.

audit2allow -i /tmp/t


#= httpd_sys_script_t ==
# This avc has a dontaudit rule in the current policy

allow httpd_sys_script_t httpd_t:udp_socket { read write };

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8N2YMACgkQrlYvE4MpobPnYACg0avTPwuj0XSYKOJIKIIw5Q6J
N5EAoLptqsCytbXtWc7R0EvECbwQJm29
=luHO
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux blocking cgi script from writing to socket (httpd_t)

2012-01-11 Thread 夜神 岩男
On 01/12/2012 03:18 AM, Bennett Haselton wrote:
 Is this really supposed to get easier over time? :)  Now my audit.log
 file shows that SELinux is blocking my cgi script, index.cgi (which is
 what's actually served when the user visits the front page of one of our
 proxy sites like sugarsurfer.com) from having 'read write to socket
 (httpd_t)'.  I have no idea what that means, except that I thought that
 cgi scripts were supposed to be able to write to stdout so that the web
 server could send the data via a socket connection to the end user's
 browser, so I don't know why a CGI script would be blocked from writing
 to a socket with security context httpd_t.

Your cgi script isn't allowed to write to the socket file. The context 
httpd_t isn't touchable by your executable. Is your index.cgi script 
custom or something from a distro package?

In any case you can find a way to deliberately make this audit message 
show up (sounds like you have), try to vary it a few times to get a good 
base of audit information, and then use audit2allow to inspect the last 
several lines of your audit file.

 From this you can have audit2allow create and package a new policy that 
explicitely permits just this access and nothing else. See if you get 
any more AVC denials (9 out of 10 times this will be the end of it). If 
no more AVC notices and everything works well, turn SELinux back to 
enforcing and test a bit.

Usually for custom scripts (of any depth, really) this is all that's needed.

I have to do the same thing every time I decide to do something weird 
like run a new version of Django on top of Postgres 9.1 from source with 
all my other custom database-using apps asking for things from other 
servers, etc. Even with that much messaging going around its pretty easy 
to pin the situation down.

You will need policycoreutils-python installed and you'll want to read 
over the manpages for audit2allow and any other tool that you find 
interesting, but its pretty easy now that you've got sane output to go 
by, know where/what your audit file is, and what a security context is.

 The only clue that might narrow it down is the line Target
 Objectssocket [ udp_socket ].  The sockets that the cgi
 scripts usually send output to are of course tcp sockets, so why would
 it say udp?  The only time one of my cgi scripts might use udp would be
 if it were doing a hostname lookup via dns, but the index.cgi script
 doesn't do that at any point.

No idea why it would need to talk to a UDP socket if you're absolutely 
certain that it doesn't need to, but it could be something else related 
that needs to do a lookup (Apache set to resolve names for logs, for 
example?).

 What would the pros do at this point?

Aside from checking the policy that the audit tools come up with, it 
would be reasonable to run a test on the script in a clean environment 
(minimal install of the OS with just enough web server (Apache) setup to 
let the script execute) and see what is happening in the audit log (and 
anywhere else you're curious about -- database, other processes, file 
system acces, etc.).

If you're really paranoid (and a pro is paid to be, so...) it would be 
good to check the contents of the packets being passed in and out of the 
test environment to make sure you fully understand what is expected, 
then compare that against what you see coming from the production server.

In *any* case, putting together a quick SELinux policy that let's your 
app run and lets you turn SELinux back on is better in the interim than 
simply letting the system sit with a permissive policy while you do your 
homework.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux blocking cgi script from writing to socket (httpd_t)

2012-01-11 Thread 夜神 岩男
On 01/12/2012 03:48 AM, Daniel J Walsh wrote:

 In Fedora we currently dontaudit this leak.

 audit2allow -i /tmp/t


 #= httpd_sys_script_t ==
 # This avc has a dontaudit rule in the current policy

 allow httpd_sys_script_t httpd_t:udp_socket { read write };

Pow. Reasonable answer, and it isn't so hard to run that command -- its 
just difficult to understand why its necessary if you don't know 
anything about the environment, and mystifying if you know the command 
but nothing about what's going on.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


Re: [CentOS] SELinux blocking cgi script from writing to socket (httpd_t)

2012-01-11 Thread Daniel J Walsh
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/11/2012 02:50 PM, 夜神 岩男 wrote:
 On 01/12/2012 03:48 AM, Daniel J Walsh wrote:
 
 In Fedora we currently dontaudit this leak.
 
 audit2allow -i /tmp/t
 
 
 #= httpd_sys_script_t == # This avc
 has a dontaudit rule in the current policy
 
 allow httpd_sys_script_t httpd_t:udp_socket { read write };
 
 Pow. Reasonable answer, and it isn't so hard to run that command --
 its just difficult to understand why its necessary if you don't
 know anything about the environment, and mystifying if you know the
 command but nothing about what's going on. 
 ___ CentOS mailing
 list CentOS@centos.org 
 http://lists.centos.org/mailman/listinfo/centos

The following explaines leaked file descriptors.

http://danwalsh.livejournal.com/6117.html?thread=23525

In RHEL6 and Fedora you can run avc messages through audit2allow and
it will tell you whether or not there is policy effecting the AVC.

setroubleshoot can also be helpful in these circumstances.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8N6MQACgkQrlYvE4MpobOsJACeIf9ubCB7kBDQFTITJ7hYRXlc
QJIAoMPdXne6a+nVUBBBakeyd0bjkBfs
=8fnf
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos