Ask Your Question
0

How to configure Suexec under Selinux for PHP FCGI?

asked 2012-09-17 05:54:24 -0600

hakre gravatar image

updated 2012-09-17 06:43:29 -0600

On Fedora 17 I'm using the Apache HTTPD webserver to server some PHP files from within my home directory. Static html files are perfectly served, but the moment a .php file is accessed, a 500 internal server error is returned.

TLDR; How to tell Selinux that Suexec should be able to access /var/log/httpd/suexec.log?

[Mon Sep 17 12:07:48 2012] [error] [client 127.0.0.1] Premature end of script \ 
  headers: index.php, referer: http://example.com/file.html
suexec failure: could not open log file
fopen: Permission denied

As this error message shows, suexec is not able to open it's log file (/var/log/httpd/suexec.log).

Disabling Selinux (setenforce Permissive) does prevent this problem to appear, this just as a note to show that this is triggered by Selinux. I'd like to solve the problem at it's root so to have a proper Selinux configuration working with Suexec instead of disabling Selinux.

I tried to troubleshoot the issue:

# auditd [1]

[1] enable auditd for sealert in the setroubleshoot package

Which brought me the troubleshoot tool under gnome with it's plugin suggestions. I followed one of those to gain more information about the issue:

# auditctl -w /etc/shadow -p w [2]

[2] more verbose output

Then reproducing the error again. With the following command I obtain a lot more information than:

# ausearch -m avc -ts recent
time->Mon Sep 17 12:07:48 2012
type=PATH msg=audit(1347876468.484:54): item=0 name="/var/log/httpd/suexec.log"
type=CWD msg=audit(1347876468.484:54):  cwd="/var/www/php-fcgi-scripts/hakre"
type=SYSCALL msg=audit(1347876468.484:54): arch=c000003e syscall=2 success=no \ 
  exit=-13 a0=7f7e560c6276 a1=441 a2=1b6 a3=238 items=1 ppid=5083 pid=5255 \ 
  auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 \ 
  fsgid=48 tty=(none) ses=4294967295 comm="suexec" exe="/usr/sbin/suexec" \ 
  subj=system_u:system_r:httpd_suexec_t:s0 key=(null)
type=AVC msg=audit(1347876468.484:54): avc:  denied  { dac_override } for  \ 
  pid=5255 comm="suexec" capability=1  \ 
  scontext=system_u:system_r:httpd_suexec_t:s0 \ 
  tcontext=system_u:system_r:httpd_suexec_t:s0 tclass=capability

As this shows, dac_override is denied. I'm now wondering if I should allow it for that specific file (/var/log/httpd/suexec.log) and how:

 # ls -Z /var/log/httpd/suexec.log
 -rw-r--r--. root apache system_u:object_r:httpd_log_t:s0 /var/log/httpd/suexec.log

As this shows, the file does not have the same context (httpd_log_t is not httpd_suexec_t). Is this by intention? Or is it just because the logfile is placed into /var/log/httpd and it is save to switch the context in this specific case here?

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
6

answered 2012-10-04 13:35:16 -0600

Dan Walsh gravatar image

dacoverride means that the UID that httpdsuexec is not allowed access the file /var/log/httpd/suexec.log just using permissions. IE Not using the power of root.

In this case httpdsuexect is running as uid 48 gid 48 and probably trying to write to this file which is only writable by root.

One solution would be to add apache access to the /var/log/httpd/suexec.log, chmod g+w /var/log/httpd/suexec.log

Which would eliminate the need for write.

If suexec really needs this permission, then we should add it to SELinux policy.

You can add the access your self using audit2allow.

grep suexec /var/log/audit/audit.log | audit2allow -M mysuexec

semodule -i mysuexec.pp

edit flag offensive delete link more
add a comment
0

answered 2012-11-08 07:41:53 -0600

hakre gravatar image

updated 2012-11-08 07:44:57 -0600

I leave an answer here with some more level of detail, however it's more of a log I've done so far. Until now I'm not yet able to deal with the problem properly.

Just for my own clarity I verified the permissions of the logfile:

# ls -l /var/log/httpd/suexec.log
-rw-r--r--. 1 root apache 2175 Oct 19 11:48 /var/log/httpd/suexec.log

And the user/ group IDs:

# id -u apache; id -g apache
48
48

This just demonstrates the the reported uid and gid is the apache user/group and the file in question suexec.log does not have write permissions on the group level.

Adding the apache group write access as suggested by Dan Walsh looked straight forward to me:

# chmod g+w /var/log/httpd/suexec.log
# ls -l /var/log/httpd/suexec.log
-rw-rw-r--. 1 root apache 2175 Oct 19 11:48 /var/log/httpd/suexec.log

This alone does not resolve the problem. HTTPD still gives a 500 Status and the error looks similar, however the type has changed, it is now only type=SYSCALL:

# ausearch -m avc -ts recent
----
time->Thu Nov  8 13:59:22 2012
type=SYSCALL msg=audit(1352379562.929:21): arch=c000003e syscall=2 success=no \ 
  exit=-13 a0=7fe758ead276 a1=441 a2=1b6 a3=238 items=0 ppid=3566 pid=3576 \
  auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 \ 
  fsgid=48 tty=(none) ses=4294967295 comm="suexec" exe="/usr/sbin/suexec" \ 
  subj=system_u:system_r:httpd_suexec_t:s0 key=(null) \ 
  type=AVC msg=audit(1352379562.929:21): avc:  denied  { dac_override } for \
  pid=3576 comm="suexec" capability=1 \
  scontext=system_u:system_r:httpd_suexec_t:s0 \ 
  tcontext=system_u:system_r:httpd_suexec_t:s0 tclass=capability

Looking closer about the syscall I found syscall=2 and looking at this Linux System Call Table reveals that it is 2 :: sys_fork - I assume even my kernel version is much higher than 2.2

# uname -r
3.6.5-1.fc17.x86_64

this basic number has not changed. This is now where I leave somewhat save grounds. If I read the message right, this again is Dacoverride so not enough ACL permissions to fork (executable) /usr/sbin/suexec. 

# ls -l /usr/sbin/suexec
-r-x--x---. 1 root apache 18464 Apr 30  2012 /usr/sbin/suexec

This reveals that the for the apache group the needed executable bit is set. So I'm a little puzzled now and at the end of the flagpole as far as me is concerned. I then tried again turning on more information which revealed:

time->Thu Nov  8 14:35:48 2012
type=PATH msg=audit(1352381748.637:24): item=0 name="/var/log/httpd/suexec.log"
type=CWD msg=audit(1352381748.637:24):  cwd="/var/www/php-fcgi-scripts/hakre"
type=SYSCALL msg=audit(1352381748.637:24): arch=c000003e syscall=2 success=no \ 
  exit=-13 a0=7f2b07a12276 a1=441 a2=1b6 a3=238 items=1 ppid=3566 pid=3711 \ 
  auid=4294967295 uid=48 gid=48 ...
(more)
edit flag offensive delete link more
add a comment

Question Tools

subscribe to rss feed

Stats

Asked: 2012-09-17 05:54:24 -0600

Seen: 2,899 times

Last updated: Nov 08 '12

Related questions

can't set httpd_suexec_disable_trans

How can I copy Fedora instance to different machine with SELinux enforcing

How change SELinux context for postfix file on Fedora 20

qemu user session shared filesystem

Samba fedora 23 server

Scriptlet Output

need selinux and saned help

Samba 4 AD - selinux ntpd AVC denial sock_file on w32tm /resync

how to install playonlinux in fedora 19.

Firewall warning fedora 22

Ask Fedora is community maintained and Red Hat or Fedora Project is not responsible for content. Content on this site is licensed under a CC-BY-SA 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2