[SOLVED] SELinux - Preventing script from fetching images via http

Support for security such as Firewalls and securing linux
Post Reply
cheddargeorge
Posts: 10
Joined: 2019/05/18 01:23:19

[SOLVED] SELinux - Preventing script from fetching images via http

Post by cheddargeorge » 2019/10/01 19:42:02

Hi,

I've just recently had to move a ton of scripts from an old server to an Azure cloud VM. I was pleased that I managed to get pretty much everything working and set up with SELinux without too many difficulties, but I've discovered one problematic Perl script.

The script is used in various websites to fetch images using LWP from a remote site and then display them on the web page. All very simple stuff. However, it now has problems fetching anything when used via http. However, if I use the script from the server command line, as a regular user, then it fetches with no problems.

So, I've spent a day or two banging my head on the wall, but then eventually decided to see if it could be SELinux-related by temporarily setting SELinux to permissive mode. This transpired to work, and the script then worked exactly as it should do. FYI. I've now turned off permissive mode.

I thought I had the right permissions and contexts and everything on the file/directory, as everything else in the same dir works just fine. Obviously I'm missing some finer point about how SELinux works. The output below displays the dir and file permissions, etc.

Code: Select all

drwx---r-x. apache apache unconfined_u:object_r:httpd_sys_script_exec_t:s0 cgi2
-rwx---r-x. apache apache unconfined_u:object_r:httpd_sys_script_exec_t:s0 test.cgi
If anyone is able to point me in the right direction then it would be much appreciated. Many thanks in advance.
Last edited by cheddargeorge on 2019/10/01 21:14:36, edited 2 times in total.

User avatar
KernelOops
Posts: 96
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: SELinux - Preventing script from fetching images via http

Post by KernelOops » 2019/10/01 20:13:08

A few ideas come to mind:

- SELinux prevents the apache user from loading remote content

- SELinux prevents the script execution entirely (eg php interpreter)

- SELinux prevents the script from saving the loaded image into a temporary directory

- SELinux prevents the script from sharing the loaded image from the temporary directory

you need to read the AVC errors in /var/log/audit/audit.log and see which specific context(s) causes trouble, by using the audit2why and audit2allow commands.
--
I love my computer - all my friends live there.
--

cheddargeorge
Posts: 10
Joined: 2019/05/18 01:23:19

Re: SELinux - Preventing script from fetching images via http

Post by cheddargeorge » 2019/10/01 20:21:55

Hmm. Alright, thx, I'll see if I can view the relevant audit log stuff and report back.

Just for info' though, regarding your possibles list:

a) the script is not prevented from working in its entirety, since it will happily print a message to say that no image was retrieved.

b) the images are printed directly, and not stored anywhere (except memory); i.e. it retrieves image data into a variable and then prints it with a jpeg content header.

cheddargeorge
Posts: 10
Joined: 2019/05/18 01:23:19

Re: SELinux - Preventing script from fetching images via http

Post by cheddargeorge » 2019/10/01 20:40:38

Okay, now working - thank you very much. I didn't know about audit2why or audit2allow.

I didn't actually have those on the system, so:

Code: Select all

# yum install policycoreutils-python
And after ...

Code: Select all

# /usr/bin/audit2why < /var/log/audit/audit.log
... it very kindly told me that I could resolve the issue with:

Code: Select all

# setsebool -P httpd_can_network_connect 1
... which I did, and it's now working as expected.

Thanks a lot; appreciated.

Post Reply

Return to “CentOS 7 - Security Support”