3:02 a.m.
Hi,
Whenever I upload a file via my web browser to my web sever, I see the following lines in
/var/log/messages
Nov 8 12:18:24 sn setroubleshoot: SELinux is preventing httpd from create access on the
file temp_5be3f85348052_5be3f85347985.docx. For complete SELinux messages run: sealert -l
335e7781-6a68-4ca6-827f-073f93829f2d
Nov 8 12:18:24 sn python: SELinux is preventing httpd from create access on the file
temp_5be3f85348052_5be3f85347985.docx.#012#012***** Plugin catchall (100. confidence)
suggests **************************#012#012If you believe that httpd should be allowed
create access on the temp_5be3f85348052_5be3f85347985.docx file by default.#012Then you
should report this as a bug.#012You can generate a local policy module to allow this
access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd'
--raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012
While the format is ugly, I run sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d and see
SELinux is preventing httpd from create access on the file
temp_5be3f85348052_5be3f85347985.docx.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that httpd should be allowed create access on the
temp_5be3f85348052_5be3f85347985.docx file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:user_home_t:s0
Target Objects temp_5be3f85348052_5be3f85347985.docx [ file ]
Source httpd
Source Path httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name sn.somewhere.com
Platform Linux sn.somewhere.com 3.10.0-862.11.6.el7.x86_64 #1
SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2018-11-08 12:16:06 +0330
Last Seen 2018-11-08 12:18:19 +0330
Local ID 335e7781-6a68-4ca6-827f-073f93829f2d
Raw Audit Messages
type=AVC msg=audit(1541666899.294:27636): avc: denied { create } for pid=25734
comm="httpd" name="temp_5be3f85348052_5be3f85347985.docx"
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no
exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0 ppid=13555 pid=25734
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0
key=(null)
Hash: httpd,httpd_t,user_home_t,file,create
I do run two commands and everything sounds normal:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-httpd.pp
# semodule -i my-httpd.pp
#
However, once again and after uploading the file, I see those messages in the log again
and again.
How to fix that?
Regards,
Mahmood
3:21 a.m.
On 11/08/2018 10:02 AM, Mahmood Naderan wrote:
Hi,
Whenever I upload a file via my web browser to my web sever, I see the
following lines in |/var/log/messages|
|...|
||
|Raw Audit Messages type=AVC msg=audit(1541666899.294:27636): avc:
denied { create } for pid=25734 comm="httpd"
name="temp_5be3f85348052_5be3f85347985.docx"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:user_home_t:s0 tclass=file type=SYSCALL
msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no
exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0
ppid=13555 pid=25734 auid=4294967295 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd
exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) |
|...|
|# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
******************** IMPORTANT *********************** To make this
policy package active, execute: semodule -i my-httpd.pp # semodule -i
my-httpd.pp # |
I don't think autid2allow produces a good solution for this
problem.
what is the full path to the file apache fails to write?
- Thomas
3:30 a.m.
It is
/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment/temp_5be3f85348052_5be3f85347985.docx
I also get this message while uploading a plugin file (zip file)
SELinux is preventing /usr/sbin/httpd from setattr access on the file
/var/www/html/ow_pluginfiles/base/lang_3.php.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/var/www/html/ow_pluginfiles/base/lang_3.php default label should be httpd_sys_content_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient
permissions to access a parent directory in which case try to change the following command
accordingly.
Do
# /sbin/restorecon -v /var/www/html/ow_pluginfiles/base/lang_3.php
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that httpd should be allowed setattr access on the lang_3.php file by
default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /var/www/html/ow_pluginfiles/base/lang_3.php [
file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name sn.scu.ac.ir
Platform Linux sn.scu.ac.ir 3.10.0-862.11.6.el7.x86_64 #1
SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count 4
First Seen 2018-11-08 12:47:44 +0330
Last Seen 2018-11-08 12:47:45 +0330
Local ID 3abcf430-043b-4d78-ba62-91c14416a2d5
Raw Audit Messages
type=AVC msg=audit(1541668665.173:28113): avc: denied { setattr } for pid=24134
comm="httpd" name="lang_3.php" dev="dm-0" ino=2316067
scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1541668665.173:28113): arch=x86_64 syscall=chmod success=no
exit=EACCES a0=7f1040ea3478 a1=1b6 a2=7f10599c8300 a3=7f105999a550 items=0 ppid=13555
pid=24134 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0
key=(null)
Hash: httpd,httpd_t,user_home_t,file,setattr
Problem occurred after an unexpected shutdown of the server!
Regards,
Mahmood
On Thursday, November 8, 2018, 12:53:42 PM GMT+3:30, Thomas Mueller
<thomas(a)chaschperli.ch> wrote:
I don't think autid2allow produces a good solution for this problem.
what is the full path to the file apache fails to write?
- Thomas
3:38 a.m.
On 11/08/2018 10:30 AM, Mahmood Naderan wrote:
It is
/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment/temp_5be3f85348052_5be3f85347985.docx
I suspect someone copied moved files from $HOME to /var/www/html/*
because user_home_t is no label for /var/www/html
I would propose you to:
# remove your custom module
semodule -u my-httpd
# add a local fcontext to the directory that httpd needs read-write access
semanage fcontext \
--add \
--type httpd_sys_rw_content_t
'/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'
# reset all labels to default
restorecon -rv /var/www
- Thomas
I also get this message while uploading a plugin file (zip file)
SELinux is preventing /usr/sbin/httpd from setattr access on the file
/var/www/html/ow_pluginfiles/base/lang_3.php.
***** Plugin restorecon (99.5 confidence) suggests
************************
If you want to fix the label.
/var/www/html/ow_pluginfiles/base/lang_3.php default label should be
httpd_sys_content_t.
Then you can run restorecon. The access attempt may have been stopped
due to insufficient permissions to access a parent directory in which
case try to change the following command accordingly.
Do
# /sbin/restorecon -v /var/www/html/ow_pluginfiles/base/lang_3.php
***** Plugin catchall (1.49 confidence) suggests
**************************
If you believe that httpd should be allowed setattr access on the
lang_3.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects /var/www/html/ow_pluginfiles/base/lang_3.php [
file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name sn.scu.ac.ir
Platform Linux sn.scu.ac.ir
3.10.0-862.11.6.el7.x86_64 #1
SMP Tue Aug 14 21:49:04 UTC 2018 x86_64
x86_64
Alert Count 4
First Seen 2018-11-08 12:47:44 +0330
Last Seen 2018-11-08 12:47:45 +0330
Local ID 3abcf430-043b-4d78-ba62-91c14416a2d5
Raw Audit Messages
type=AVC msg=audit(1541668665.173:28113): avc: denied { setattr }
for pid=24134 comm="httpd" name="lang_3.php" dev="dm-0"
ino=2316067
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1541668665.173:28113): arch=x86_64
syscall=chmod success=no exit=EACCES a0=7f1040ea3478 a1=1b6
a2=7f10599c8300 a3=7f105999a550 items=0 ppid=13555 pid=24134
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd
subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,user_home_t,file,setattr
Problem occurred after an unexpected shutdown of the server!
Regards,
Mahmood
3:51 a.m.
Sorry Thomas, I made a mistake while pasting the path. The correct path is
[root@sn html]# find . -name
./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx
[root@sn html]#
Do you still say that it is better to remove my-httpd?
Thing that I want to know is that, why selinux prevents that creation? Selinux suggests
some commands to fix that. While the suggestion has no effect, it doesn't say about
the root of the problem.
The list of attributes regarding httpd are
# semanage boolean -l | grep httpd
httpd_can_network_relay (off , off) Allow httpd to can network relay
httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv
httpd_can_network_connect_db (off , off) Allow httpd to can network connect db
httpd_use_gpg (off , off) Allow httpd to use gpg
httpd_dbus_sssd (off , off) Allow httpd to dbus sssd
httpd_enable_cgi (on , on) Allow httpd to enable cgi
httpd_verify_dns (off , off) Allow httpd to verify dns
httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs
httpd_use_cifs (off , off) Allow httpd to use cifs
httpd_manage_ipa (off , off) Allow httpd to manage ipa
httpd_run_stickshift (off , off) Allow httpd to run stickshift
httpd_enable_homedirs (off , off) Allow httpd to enable homedirs
httpd_dbus_avahi (off , off) Allow httpd to dbus avahi
httpd_unified (on , on) Allow httpd to unified
httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam
httpd_can_network_connect (on , on) Allow httpd to can network connect
httpd_execmem (off , off) Allow httpd to execmem
httpd_use_fusefs (off , off) Allow httpd to use fusefs
httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind
httpd_use_sasl (off , off) Allow httpd to use sasl
httpd_tty_comm (off , off) Allow httpd to tty comm
httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write
httpd_graceful_shutdown (on , on) Allow httpd to graceful shutdown
httpd_can_connect_ftp (on , on) Allow httpd to can connect ftp
httpd_run_ipa (off , off) Allow httpd to run ipa
httpd_read_user_content (on , on) Allow httpd to read user content
httpd_use_nfs (off , off) Allow httpd to use nfs
httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix
httpd_tmp_exec (off , off) Allow httpd to tmp exec
httpd_run_preupgrade (off , off) Allow httpd to run preupgrade
httpd_can_sendmail (on , on) Allow httpd to can sendmail
httpd_builtin_scripting (on , on) Allow httpd to builtin scripting
httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap
httpd_can_check_spam (off , off) Allow httpd to can check spam
httpd_can_network_memcache (off , off) Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect
cobbler
httpd_anon_write (off , off) Allow httpd to anon write
httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files
httpd_ssi_exec (off , off) Allow httpd to ssi exec
httpd_use_openstack (off , off) Allow httpd to use openstack
httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server
httpd_setrlimit (off , off) Allow httpd to setrlimit
Regards,
Mahmood
On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30, Thomas Mueller
<thomas(a)chaschperli.ch> wrote:
I suspect someone copied moved files from $HOME to /var/www/html/* because user_home_t is
no label for /var/www/html
I would propose you to:
# remove your custom module
semodule -u my-httpd
# add a local fcontext to the directory that httpd needs read-write access
semanage fcontext \
--add \
--type httpd_sys_rw_content_t
'/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'
# reset all labels to default
restorecon -rv /var/www
- Thomas
4:06 a.m.
On 11/08/2018 10:51 AM, Mahmood Naderan wrote:
Sorry Thomas, I made a mistake while pasting the path. The correct
path is
[root@sn html]# find . -name
./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx
[root@sn html]#
Don't understand what you want to say.
./ow_userfiles/plugins/base/attachments/temp_5be3f85348052_5be3f85347985.docx
is a relative path. not an absolute path.
Do you still say that it is better to remove my-httpd?
yes. but based on your
absolute path to the directory where your httpd
needs write access selinux fcontext --add requires an adjusted regex.
Thing that I want to know is that, why selinux prevents that creation?
Selinux suggests some commands to fix that. While the suggestion has
no effect, it doesn't say about the root of the problem.
because selinux is
about preventing things that are not allowed. Httpd
is normally exposed to the network and a good target for hackers. So the
default policy gives the httpd the least privileges that are possible.
audit2allow only works for easy problems. Your problem is that someone
moved files form $HOME to /var/www . Move also moves SELinux filesystem
labels. Now you've got files with wrong labels in /var/www. This is no
easy problem to solve for a computer tool.
The list of attributes regarding httpd are
|# semanage boolean -l | grep httpd|
booleans are not filesystems labels/types. What do you wanted to show
with the list?
On Thursday, November 8, 2018, 1:10:02 PM GMT+3:30, Thomas Mueller
<thomas(a)chaschperli.ch> wrote:
I suspect someone copied moved files from $HOME to /var/www/html/*
because user_home_t is no label for /var/www/html
I would propose you to:
# remove your custom module
semodule -u my-httpd
# add a local fcontext to the directory that httpd needs read-write access
semanage fcontext \
--add \
--type httpd_sys_rw_content_t
'/var/www/html/ow_plugins/ow_userfiles/plugins/base/attachment(/.*)?'
# reset all labels to default
restorecon -rv /var/www
- Thomas
5:41 a.m.
# remove your custom module
semodule -u my-httpd
[root@sn html]# semodule -u my-httpd
The --upgrade option is deprecated. Use --install instead.
libsemanage.map_file: Unable to open my-httpd
(No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-httpd
(No such file or directory).
semodule: Failed on my-httpd!
Regards,
Mahmood
5:46 a.m.
On 11/08/2018 12:41 PM, Mahmood Naderan wrote:
># remove your custom module
>semodule -u my-httpd
[root@sn html]# semodule -u my-httpd
The --upgrade option is deprecated. Use --install instead.
libsemanage.map_file: Unable to open my-httpd
(No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-httpd
(No such file or directory).
semodule: Failed on my-httpd!
sorry, my fault. not -u, its -r (--remove)
# semodule --help
usage: semodule [option]... MODE...
Manage SELinux policy modules.
MODES:
-R, --reload reload policy
-B, --build build and reload policy
-D,--disable_dontaudit Remove dontaudits from policy
-i,--install=MODULE_PKG install a new module
* -r,--remove=MODULE_NAME remove existing module at desired priority*
-l[KIND],--list-modules[=KIND] display list of installed modules
KIND: standard list highest priority, enabled modules
full list all modules
-X,--priority=PRIORITY set priority for following operations (1-999)
-e,--enable=MODULE_NAME enable module
-d,--disable=MODULE_NAME disable module
-E,--extract=MODULE_NAME extract module
Options:
-s,--store name of the store to operate on
-N,-n,--noreload do not reload policy after commit
-h,--help print this message and quit
-v,--verbose be verbose
-P,--preserve_tunables Preserve tunables in policy
-C,--ignore-module-cache Rebuild CIL modules compiled from HLL files
-p,--path use an alternate path for the policy root
-S,--store-path use an alternate path for the policy store root
-c, --cil extract module as cil. This only affects module extraction.
-H, --hll extract module as hll. This only affects module extraction.
Regards,
Mahmood
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject...
2058
days inactive
2058
days old
selinux@lists.fedoraproject.org
7 comments
2 participants
participants (2)
-
Mahmood Naderan -
Thomas Mueller