SELinux problem with Bash script exec on PHP

Support for security such as Firewalls and securing linux
Post Reply
luckypt
Posts: 14
Joined: 2017/02/24 10:42:25

SELinux problem with Bash script exec on PHP

Post by luckypt » 2017/04/23 00:06:50

Hi all,

I have a apache server running with php pages, i want to run bash scripts with.
Everything worked great till i wanted to have SSL module, now SELinux gives me one error with one comand in my script ( sudo -u steam /home/steam/webstartark.sh )

in the log off my script i have that: " sudo: unable to change to sudoers gid: Operation not permitted "

in the /var/log/messages i have this:
  • Apr 23 02:02:40 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:40 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:40 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:40 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:40 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:40 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:40 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:40 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:41 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:41 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:41 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:41 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:41 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:41 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:41 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:41 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:42 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:42 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:42 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:42 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
    Apr 23 02:02:42 centos setroubleshoot: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>. For complete SELinux messages. run sealert -l 3f1d0867-3f65-437c-94c1-3c58a550fa3d
    Apr 23 02:02:42 centos python: SELinux is preventing /usr/bin/ps from getattr access on the directory /proc/<pid>.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that ps should be allowed getattr access on the <pid> directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'ps' --raw | audit2allow -M my-ps#012# semodule -i my-ps.pp#012
if i change to apache user and run the scripts i dont have any error.

when i set SELinux to permissive it works great with my web pages.

Can anyone help me?

Thanks

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: SELinux problem with Bash script exec on PHP

Post by aks » 2017/04/24 15:59:36

I guess your script is using ps to get attributes of another process, which SE is disallowing (with good reason!) As this is not a bug, you're doing something "outside" the application, you need to generate a local SE policy to allow this action. As stated in the messages passed, use ausearch -c 'ps' --raw | audit2allow -M my-ps which will output the "allow" directives, create the module (named my-ps) and then install with semodule -i my-ps.pp.
Also there's an entry on CentOS wiki about compiling and installing SE exceptions.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux problem with Bash script exec on PHP

Post by TrevorH » 2017/04/24 16:33:33

And be aware that by allowing selinux to allow those, you're effectively turning it off as it looks to me like you're pretty much going to allow httpd to run anything it wants. That's exactly what it's trying to prevent - allowing httpd to run various skript-kiddie looking utilities to compromise your server.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: SELinux problem with Bash script exec on PHP

Post by aks » 2017/04/24 16:58:23

Ditto (what TrevorH said)
Essentially you are allowing the ps command to get attributes of (probably) any loaded process.

luckypt
Posts: 14
Joined: 2017/02/24 10:42:25

Re: SELinux problem with Bash script exec on PHP

Post by luckypt » 2017/04/25 17:37:48

Script:
#!/bin/bash

ps -ef | grep "minecraft_server" | grep -v gnome-terminal | grep -v grep > /dev/null

if [[ $? == 0 ]]; then
echo "$(date "+%Y-%m-%d %k:%M:%S") -- Server already UP!!!" >> /webserver/log/mcup.txt
echo "" >> /webserver/log/mcup.txt
exit 1
fi

I just want to know if the minecraft server is running or not.

There is another way to do that?

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: SELinux problem with Bash script exec on PHP

Post by hunter86_bg » 2017/04/26 18:35:14

The easiest way I think about is to create a cron job like this (replace some_user_name and destination index.html):

Code: Select all

* * * * * some_user_name (pgrep minecraft && echo "Minecraft is UP" > /var/www/html/index.html) || echo "Minecraft is Down" > /var/www/html/index.html
You can then check the status through apache by accessing "http://server/"

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux problem with Bash script exec on PHP

Post by TrevorH » 2017/04/26 19:17:11

Or just run the script from cron on a regular interval. It's because it's being run by httpd that selinux is throwing a hissy fit.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

luckypt
Posts: 14
Joined: 2017/02/24 10:42:25

Re: SELinux problem with Bash script exec on PHP

Post by luckypt » 2017/04/26 20:38:42

TrevorH wrote:Or just run the script from cron on a regular interval. It's because it's being run by httpd that selinux is throwing a hissy fit.
Tks to all your anwsers but i just don't get why SELinux make this...
i will explain what i have for now:

PHP page with 3 buttons:


Start MineCraft server - server can only be executed by user "mcserver":

ps -ef | grep "minecraft_server" | grep -v gnome-terminal | grep -v grep > /dev/null

if [[ $? == 0 ]]; then
echo "$(date "+%Y-%m-%d %k:%M:%S") -- Server already UP!!!" >> /gameserver/log/mcup.txt
echo "" >> /gameserver/log/mcup.txt
exit 1
fi

sudo -u mcserver /home/mcserver/webstartmc.sh 2&>> /gameserver/log/mcup.txt (i've puted in visudo this command, it works great without SELinux)

sleep 5

echo "$(date "+%Y-%m-%d %k:%M:%S") -- Script UP OK" >> /gameserver/log/mcup.txt
echo "" >> /gameserver/log/mcup.txt

/gameserver/script/mcstatus.sh
-----------------------------------------------------------------------------------------------------------------------------

Stop MC Server:
#!/bin/bash

ps -ef | grep "minecraft_server" | grep -v SCREEN | grep -v grep > /dev/null

if [[ $? != 0 ]]; then
echo "$(date "+%Y-%m-%d %k:%M:%S") -- Server is NOT running" >> /gameserver/log/mcdown.txt
echo "" >> /gameserver/log/mcdown.txt
exit 1
fi

sudo -u mcserver /home/mcserver/webstopmcmsg.sh 2&> /gameserver/log/mcdown.txt

sleep 20


sudo -u mcserver /home/mcserver/webstopmccommand.sh 2&> /gameserver/log/mcdown.txt

sleep 3


echo "$(date "+%Y-%m-%d %k:%M:%S") -- Script OFF OK" >> /gameserver/log/mcdown.txt
echo "" >> /gameserver/log/mcdown.txt

/gameserver/script/mcstatus.sh
-----------------------------------------------------------------------------------------------------------------------------
Status MC Server (mcstatus.sh) i realy need that to run in all the scripts 'cause i take the log mcstatus.txt to put the button status green/red (status ON/OFF of the server):

#!/bin/bash

echo "$(date "+%Y-%m-%d %k:%M:%S") -- Script Status OK" >> /gameserver/log/mcstatussh.txt
echo "" >> /gameserver/log/mcstatussh.txt


ps -aux | grep "minecraft_server" | grep -v gnome-terminal | grep -v grep > /dev/null

if [[ $? == 0 ]]; then
echo "up" > /gameserver/log/mcstatus.txt
else
echo "down" > /gameserver/log/mcstatus.txt
fi

-----------------------------------------------------------------------------------------------------------------------------

All of this works like charme with setenforce 1 and user apache but doesnt works from the website (where i get alerts for ps and setuid for the sudo command)

if i put setenforce 0 all works from the website....

i dont want to disable SELinux. So anyone can help me with that?
Tks alot

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux problem with Bash script exec on PHP

Post by TrevorH » 2017/04/26 21:32:45

There are hackers in the world. They like to break into systems and exploit them by making otherwise innocent web scripts run things they were not meant to run. Then they do nasty things with those systems like launch DDoS attacks or use them to send spam or or or...

Your set of scripts looks to selinux *exactly* like a hacker trying to break into your system. It stops it. There is no way that you can disguise your script as anything else than that.

You're on CentOS 7. Write a systemd unit file to start your minecraft server and it will start it at boot time for you. Configure the unit file correctly and systemd will restart it for you if it crashes. Then you can stop/restart your server from an ssh session. If you want a status page from the web then write something that will show you but not by executing commands directly - have that run from cron and output to a text file or stick it in a database and then read that from your web based script.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply