SELinux Issues with Apache

Support for security such as Firewalls and securing linux
cheddargeorge
Posts: 7
Joined: 2019/05/18 01:23:19

SELinux Issues with Apache

Post by cheddargeorge » 2019/05/18 01:38:09

Hi,

I'm just setting up an Apache 2.4 web server on CentOS 7.5, but I'm having SELinux issues. Basically I'm getting "Permission denied" errors when I try to execute a simple cgi test script (which is in a /cgi-bin/ directory under /var/www/site/...). After having tried multiple things I narrowed it down to SELinux by temporarily disabling it (i.e. # setenforce 0), and finding that the script then works just fine. Of course, I'd much prefer to have SELinux fully enabled and still have the scripts working.

So, here are a few things I tried:

Code: Select all

# restorecon -R public_html
(in the relevant locations)

Code: Select all

# semanage boolean -m --on httpd_enable_cgi
Permissions, etc, now look like this:

Code: Select all

# ls -lZ
-rwxrwxr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 test.cgi
My error log entry(ies) look like this:

Code: Select all

[May 17 ...] [cgid:error] [pid 100599] (13)Permission denied: AH01241: exec of '/var/www/sites/site1/cgi-bin/test.cgi' failed
And, like I said above, with # sudo setenforce 0 everything (or at least everything I've tested) works fine, but I'd prefer not to do this if possible.

Also, I know I could do something like "# semanage permissive -a httpd_t", but that's also not my ideal solution.

If someone could point me in the right direction (or, more specifically, tell me exactly how to fix it) I'd be most appreciative. Many thanks!

aks
Posts: 2807
Joined: 2014/09/20 11:22:14

Re: SELinux Issues with Apache

Post by aks » 2019/05/18 05:12:13

Why not just use audit2allow or audit2why to pick up the bits you are missing?
You could for example be missing some like "allow http to network connect" - if the CGI does that.
See https://wiki.centos.org/HowTos/SELinux

cheddargeorge
Posts: 7
Joined: 2019/05/18 01:23:19

Re: SELinux Issues with Apache

Post by cheddargeorge » 2019/05/18 11:28:47

The cgi script literally just prints "Hello" to the browser; that's it. As I noted, it's just a test script, so nothing complicated.

Never seen or heard of audit2allow or audit2why; I'll take a look at that page, but was hoping there is some common and easily resolvable issue that didn't involve wading through a ton more material just to get nowhere.

User avatar
TrevorH
Forum Moderator
Posts: 26311
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Issues with Apache

Post by TrevorH » 2019/05/18 11:43:10

From the output of semanage fcontext -l | grep -i cgi I'd say the context there is wrong. I see these two rules and it doesn't look like they are matching your directory and its contentsL

Code: Select all

/var/www/[^/]*/cgi-bin(/.*)?                       all files          system_u:object_r:httpd_sys_script_exec_t:s0 
/var/www/html/[^/]*/cgi-bin(/.*)?                  all files          system_u:object_r:httpd_sys_script_exec_t:s0 
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

cheddargeorge
Posts: 7
Joined: 2019/05/18 01:23:19

Re: SELinux Issues with Apache

Post by cheddargeorge » 2019/05/18 11:58:02

Okay, that's interesting, and actually makes some sense to me. Thanks.

So, I would try something like this? (I ask because I'm not too familiar with very much in the way of SELinux):

Code: Select all

# semanage fcontext -a -t httpd_sys_script_exec_t "/var/www(/.*)?"

# restorecon -R -v /var/www/ 
Hmm, I see that httpd runs with this context:

Code: Select all

ps -eZ | grep httpd
system_u:system_r:httpd_t:s0    100589 ?        00:00:02 httpd
.... so does that mean that the "unconfined_u" user bit of the context on my cgi-bin/* files also need to be system_u? Not sure how to change that.
Last edited by cheddargeorge on 2019/05/18 12:06:12, edited 1 time in total.

User avatar
TrevorH
Forum Moderator
Posts: 26311
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Issues with Apache

Post by TrevorH » 2019/05/18 12:04:37

That rule looks wrong as it will assign that context to everything under /var/www. I'd concentrate on looking at those two existing rules and working out why neither of them match your target directory - for example is yours 'cgibin' and not 'cgi-bin' or something easy like that?
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

cheddargeorge
Posts: 7
Joined: 2019/05/18 01:23:19

Re: SELinux Issues with Apache

Post by cheddargeorge » 2019/05/18 12:13:54

Alright, I assume you mean use something like this instead:

Code: Select all

# semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/sites/site1/cgi-bin(/.*)?"

# restorecon -R -v /var/www/sites/site1/cgi-bin/ 
I know you're trying to be helpful, but this SELinux stuff is completely out of my realm of experience, so I'm slightly baffled with most of it. Thanks for your patience.

Per my previous comment, which I edited to add the second portion, I see that httpd runs with this context:

Code: Select all

ps -eZ | grep httpd
system_u:system_r:httpd_t:s0    100589 ?        00:00:02 httpd
.... so does that mean that the "unconfined_u" user bit of the context on my cgi-bin/* files also need to be system_u? Not sure how to change that.

User avatar
TrevorH
Forum Moderator
Posts: 26311
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Issues with Apache

Post by TrevorH » 2019/05/18 16:49:58

So your current path is not matching the existing rules. You can use the matchpathcon command to see what each directory/path would inherit:

Code: Select all

[root@centos7 ~]# matchpathcon /var/www/sites/site1/cgi-bin/
/var/www/sites/site1/cgi-bin	system_u:object_r:httpd_sys_content_t:s0
[root@centos7 ~]# matchpathcon /var/www/sites/cgi-bin/
/var/www/sites/cgi-bin	system_u:object_r:httpd_sys_script_exec_t:s0
See, the existing rule, probably this one

Code: Select all

/var/www/html/[^/]*/cgi-bin(/.*)?                  all files          system_u:object_r:httpd_sys_script_exec_t:s0"
matches and assigns the correct context when you remove one level of directory from it. So if you want to keep the current directory path then you need a new rule to match the extra directory level or you could adjust your path so that it matches the rule. Pick one!

So, to add a new rule, it would be easiest to use what's called an equivalence rule which tells it that it should treat your path as though it was the one that does match. After *much* experimentation, I eventually got to adding one like this

Code: Select all

semanage fcontext -a -e '/var/www' '/var/www/sites'
That tells it that whenever it comes across files under /var/www/sites it should treat them like they were under /var/www itself. With that in place, I can do

Code: Select all

[root@centos7 ~]# matchpathcon  /var/www/sites/site2/cgi-bin/test.pl
/var/www/sites/site2/cgi-bin/test.pl	system_u:object_r:httpd_sys_script_exec_t:s0
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

cheddargeorge
Posts: 7
Joined: 2019/05/18 01:23:19

Re: SELinux Issues with Apache

Post by cheddargeorge » 2019/05/18 17:39:15

Okay, but I'm still somewhat confused.

I ran matchpathcon, per below:

Code: Select all

# matchpathcon /var/www/sites/site1/cgi-bin/
/var/www/sites/site1/cgi-bin system_u:object_r:httpd_sys_content_t:s0

# matchpathcon /var/www/sites/
/var/www/sites  system_u:object_r:httpd_sys_content_t:s0

# matchpathcon /var/www/
/var/www        system_u:object_r:httpd_sys_content_t:s0
Are you saying don't do what I asked in the previous post? i.e.

Code: Select all

# semanage fcontext -a -t httpd_sys_script_exec_t "/var/www/sites/site1/cgi-bin(/.*)?"
# restorecon -R -v /var/www/sites/site1/cgi-bin/ 
I mean, if I ran "semanage fcontext -a -e '/var/www' '/var/www/sites'" right now, without doing anything else, then it's not going to make any difference is it?, given that every level above /cgi-bin/ has the same [apparently wrong] context.

So, I understand (sort of) that I need to get something with "system_u:object_r:httpd_sys_script_exec_t:s0"" in the context, but I'm confused as to what I'm meant to be doing or how to achieve it. Thanks again for your time.

User avatar
TrevorH
Forum Moderator
Posts: 26311
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux Issues with Apache

Post by TrevorH » 2019/05/18 18:18:44

if I ran "semanage fcontext -a -e '/var/www' '/var/www/sites'" right now, without doing anything else, then it's not going to make any difference is it?,
It would if you ran restorecon -RFv against it afterwards. Basically that rule that I quoted above says "treat any access to /var/www/sites as though it was access to /var/www'. So you try to access /var/www/sites/site1/cgi-bin/myscript.pl' then selinux will now treat that as though you tried to access /var/www/site1/cgi-bin/myscript.pl and will match the existing rules set up for /var/www.
CentOS 5 died in March 2017 - migrate NOW!
CentOS 6 goes EOL sooner rather than later, get upgrading!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply