Hi, Whenever I upload a file via my web browser to my web sever, I see the following lines in /var/log/messages
Nov 8 12:18:24 sn setroubleshoot: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx. For complete SELinux messages run: sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d Nov 8 12:18:24 sn python: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012
While the format is ugly, I run sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d and see
SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.pp
Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:user_home_t:s0 Target Objects temp_5be3f85348052_5be3f85347985.docx [ file ] Source httpd Source Path httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name sn.somewhere.com Platform Linux sn.somewhere.com 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 Alert Count 2 First Seen 2018-11-08 12:16:06 +0330 Last Seen 2018-11-08 12:18:19 +0330 Local ID 335e7781-6a68-4ca6-827f-073f93829f2d
Raw Audit Messages type=AVC msg=audit(1541666899.294:27636): avc: denied { create } for pid=25734 comm="httpd" name="temp_5be3f85348052_5be3f85347985.docx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0 ppid=13555 pid=25734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,user_home_t,file,create
I do run two commands and everything sounds normal:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd ******************** IMPORTANT *********************** To make this policy package active, execute:
semodule -i my-httpd.pp
# semodule -i my-httpd.pp #
However, once again and after uploading the file, I see those messages in the log again and again.
How to fix that?
Regards, Mahmood
On 11/08/2018 10:02 AM, Mahmood Naderan wrote:
Hi,
Whenever I upload a file via my web browser to my web sever, I see the following lines in |/var/log/messages|
|...|
|| |Raw Audit Messages type=AVC msg=audit(1541666899.294:27636): avc: denied { create } for pid=25734 comm="httpd" name="temp_5be3f85348052_5be3f85347985.docx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0 ppid=13555 pid=25734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) |
|...|
|# ausearch -c 'httpd' --raw | audit2allow -M my-httpd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-httpd.pp # semodule -i my-httpd.pp # |
I don't think autid2allow produces a good solution for this problem.
what is the full path to the file apache fails to write?
- Thomas
It is
/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment/temp_5be3f85348052_5be3f85347985.docx
I also get this message while uploading a plugin file (zip file)
SELinux is preventing /usr/sbin/httpd from setattr access on the file /var/www/html/ow_pluginfiles/base/lang_3.php.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label. /var/www/html/ow_pluginfiles/base/lang_3.php default label should be httpd_sys_content_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /var/www/html/ow_pluginfiles/base/lang_3.php
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that httpd should be allowed setattr access on the lang_3.php file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.pp
Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /var/www/html/ow_pluginfiles/base/lang_3.php [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name sn.scu.ac.ir Platform Linux sn.scu.ac.ir 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-11-08 12:47:44 +0330 Last Seen 2018-11-08 12:47:45 +0330 Local ID 3abcf430-043b-4d78-ba62-91c14416a2d5
Raw Audit Messages type=AVC msg=audit(1541668665.173:28113): avc: denied { setattr } for pid=24134 comm="httpd" name="lang_3.php" dev="dm-0" ino=2316067 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1541668665.173:28113): arch=x86_64 syscall=chmod success=no exit=EACCES a0=7f1040ea3478 a1=1b6 a2=7f10599c8300 a3=7f105999a550 items=0 ppid=13555 pid=24134 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,user_home_t,file,setattr
Problem occurred after an unexpected shutdown of the server!
Regards, Mahmood
On Thursday, November 8, 2018, 12:53:42 PM GMT+3:30, Thomas Mueller thomas@chaschperli.ch wrote: I don't think autid2allow produces a good solution for this problem.
what is the full path to the file apache fails to write?
- Thomas
On 11/08/2018 10:30 AM, Mahmood Naderan wrote:
It is
/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment/temp_5be3f85348052_5be3f85347985.docx
I suspect someone copied moved files from $HOME to /var/www/html/* because user_home_t is no label for /var/www/html
I would propose you to:
# remove your custom module semodule -u my-httpd
# add a local fcontext to the directory that httpd needs read-write access semanage fcontext \ --add \ --type httpd_sys_rw_content_t '/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'
# reset all labels to default restorecon -rv /var/www
- Thomas
I also get this message while uploading a plugin file (zip file)
SELinux is preventing /usr/sbin/httpd from setattr access on the file /var/www/html/ow_pluginfiles/base/lang_3.php.
***** Plugin restorecon (99.5 confidence) suggests
If you want to fix the label. /var/www/html/ow_pluginfiles/base/lang_3.php default label should be httpd_sys_content_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /var/www/html/ow_pluginfiles/base/lang_3.php
***** Plugin catchall (1.49 confidence) suggests
If you believe that httpd should be allowed setattr access on the lang_3.php file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.pp
Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /var/www/html/ow_pluginfiles/base/lang_3.php [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name sn.scu.ac.ir Platform Linux sn.scu.ac.ir 3.10.0-862.11.6.el7.x86_64 #1 SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64 Alert Count 4 First Seen 2018-11-08 12:47:44 +0330 Last Seen 2018-11-08 12:47:45 +0330 Local ID 3abcf430-043b-4d78-ba62-91c14416a2d5
Raw Audit Messages type=AVC msg=audit(1541668665.173:28113): avc: denied { setattr } for pid=24134 comm="httpd" name="lang_3.php" dev="dm-0" ino=2316067 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1541668665.173:28113): arch=x86_64 syscall=chmod success=no exit=EACCES a0=7f1040ea3478 a1=1b6 a2=7f10599c8300 a3=7f105999a550 items=0 ppid=13555 pid=24134 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,user_home_t,file,setattr
Problem occurred after an unexpected shutdown of the server!
Regards, Mahmood
Sorry Thomas, I made a mistake while pasting the path. The correct path is
[root@sn html]# find . -name ./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx [root@sn html]#
Do you still say that it is better to remove my-httpd?
Thing that I want to know is that, why selinux prevents that creation? Selinux suggests some commands to fix that. While the suggestion has no effect, it doesn't say about the root of the problem. The list of attributes regarding httpd are # semanage boolean -l | grep httpd httpd_can_network_relay (off , off) Allow httpd to can network relay httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv httpd_can_network_connect_db (off , off) Allow httpd to can network connect db httpd_use_gpg (off , off) Allow httpd to use gpg httpd_dbus_sssd (off , off) Allow httpd to dbus sssd httpd_enable_cgi (on , on) Allow httpd to enable cgi httpd_verify_dns (off , off) Allow httpd to verify dns httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs httpd_use_cifs (off , off) Allow httpd to use cifs httpd_manage_ipa (off , off) Allow httpd to manage ipa httpd_run_stickshift (off , off) Allow httpd to run stickshift httpd_enable_homedirs (off , off) Allow httpd to enable homedirs httpd_dbus_avahi (off , off) Allow httpd to dbus avahi httpd_unified (on , on) Allow httpd to unified httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam httpd_can_network_connect (on , on) Allow httpd to can network connect httpd_execmem (off , off) Allow httpd to execmem httpd_use_fusefs (off , off) Allow httpd to use fusefs httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind httpd_use_sasl (off , off) Allow httpd to use sasl httpd_tty_comm (off , off) Allow httpd to tty comm httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write httpd_graceful_shutdown (on , on) Allow httpd to graceful shutdown httpd_can_connect_ftp (on , on) Allow httpd to can connect ftp httpd_run_ipa (off , off) Allow httpd to run ipa httpd_read_user_content (on , on) Allow httpd to read user content httpd_use_nfs (off , off) Allow httpd to use nfs httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix httpd_tmp_exec (off , off) Allow httpd to tmp exec httpd_run_preupgrade (off , off) Allow httpd to run preupgrade httpd_can_sendmail (on , on) Allow httpd to can sendmail httpd_builtin_scripting (on , on) Allow httpd to builtin scripting httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap httpd_can_check_spam (off , off) Allow httpd to can check spam httpd_can_network_memcache (off , off) Allow httpd to can network memcache httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler httpd_anon_write (off , off) Allow httpd to anon write httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files httpd_ssi_exec (off , off) Allow httpd to ssi exec httpd_use_openstack (off , off) Allow httpd to use openstack httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server httpd_setrlimit (off , off) Allow httpd to setrlimit
Regards, Mahmood
On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30, Thomas Mueller thomas@chaschperli.ch wrote: I suspect someone copied moved files from $HOME to /var/www/html/* because user_home_t is no label for /var/www/html
I would propose you to:
# remove your custom module semodule -u my-httpd
# add a local fcontext to the directory that httpd needs read-write access semanage fcontext \ --add \ --type httpd_sys_rw_content_t '/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'
# reset all labels to default restorecon -rv /var/www
- Thomas
On 11/08/2018 10:51 AM, Mahmood Naderan wrote:
Sorry Thomas, I made a mistake while pasting the path. The correct path is
[root@sn html]# find . -name ./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx [root@sn html]#
Don't understand what you want to say.
./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx
is a relative path. not an absolute path.
Do you still say that it is better to remove my-httpd?
yes. but based on your absolute path to the directory where your httpd needs write access selinux fcontext --add requires an adjusted regex.
Thing that I want to know is that, why selinux prevents that creation? Selinux suggests some commands to fix that. While the suggestion has no effect, it doesn't say about the root of the problem.
because selinux is about preventing things that are not allowed. Httpd is normally exposed to the network and a good target for hackers. So the default policy gives the httpd the least privileges that are possible.
audit2allow only works for easy problems. Your problem is that someone moved files form $HOME to /var/www . Move also moves SELinux filesystem labels. Now you've got files with wrong labels in /var/www. This is no easy problem to solve for a computer tool.
The list of attributes regarding httpd are |# semanage boolean -l | grep httpd|
booleans are not filesystems labels/types. What do you wanted to show with the list?
On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30, Thomas Mueller thomas@chaschperli.ch wrote:
I suspect someone copied moved files from $HOME to /var/www/html/* because user_home_t is no label for /var/www/html
I would propose you to:
# remove your custom module semodule -u my-httpd
# add a local fcontext to the directory that httpd needs read-write access semanage fcontext \ --add \ --type httpd_sys_rw_content_t '/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'
# reset all labels to default restorecon -rv /var/www
- Thomas
# remove your custom module semodule -u my-httpd
[root@sn html]# semodule -u my-httpd The --upgrade option is deprecated. Use --install instead. libsemanage.map_file: Unable to open my-httpd (No such file or directory). libsemanage.semanage_direct_install_file: Unable to read file my-httpd (No such file or directory). semodule: Failed on my-httpd!
Regards, Mahmood
On 11/08/2018 12:41 PM, Mahmood Naderan wrote:
# remove your custom module semodule -u my-httpd
[root@sn html]# semodule -u my-httpd The --upgrade option is deprecated. Use --install instead. libsemanage.map_file: Unable to open my-httpd (No such file or directory). libsemanage.semanage_direct_install_file: Unable to read file my-httpd (No such file or directory). semodule: Failed on my-httpd!
sorry, my fault. not -u, its -r (--remove)
# semodule --help usage: semodule [option]... MODE... Manage SELinux policy modules. MODES: -R, --reload reload policy -B, --build build and reload policy -D,--disable_dontaudit Remove dontaudits from policy -i,--install=MODULE_PKG install a new module * -r,--remove=MODULE_NAME remove existing module at desired priority* -l[KIND],--list-modules[=KIND] display list of installed modules KIND: standard list highest priority, enabled modules full list all modules -X,--priority=PRIORITY set priority for following operations (1-999) -e,--enable=MODULE_NAME enable module -d,--disable=MODULE_NAME disable module -E,--extract=MODULE_NAME extract module Options: -s,--store name of the store to operate on -N,-n,--noreload do not reload policy after commit -h,--help print this message and quit -v,--verbose be verbose -P,--preserve_tunables Preserve tunables in policy -C,--ignore-module-cache Rebuild CIL modules compiled from HLL files -p,--path use an alternate path for the policy root -S,--store-path use an alternate path for the policy store root -c, --cil extract module as cil. This only affects module extraction. -H, --hll extract module as hll. This only affects module extraction.
Regards, Mahmood
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
selinux@lists.fedoraproject.org
-
Mahmood Naderan -
Thomas Mueller