Hi all,
I have an el4 machine that I am trying to get a shell script working from a php page with sudo. I can su to apache and execute the script using sudo but when I try to execute the script from the php page I get the following avc's:
type=AVC msg=audit(1141573880.162:1935): avc: denied { setrlimit } for pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process type=SYSCALL msg=audit(1141573880.162:1935): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fbffff9a0 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=AVC msg=audit(1141573880.164:1936): avc: denied { read } for pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file type=SYSCALL msg=audit(1141573880.164:1936): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=1 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=CWD msg=audit(1141573880.164:1936): cwd="/var/www/adddomain" type=PATH msg=audit(1141573880.164:1936): name="/etc/shadow" flags=101 inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1141573880.165:1937): avc: denied { read } for pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file type=SYSCALL msg=audit(1141573880.165:1937): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=4 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=CWD msg=audit(1141573880.165:1937): cwd="/var/www/adddomain" type=PATH msg=audit(1141573880.165:1937): name="/etc/shadow" flags=101 inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1141573880.165:1938): avc: denied { create } for pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=netlink_route_socket type=SYSCALL msg=audit(1141573880.165:1938): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=7fbfffe901 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=AVC msg=audit(1141573880.166:1939): avc: denied { setgid } for pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability type=SYSCALL msg=audit(1141573880.166:1939): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffff a1=30 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=AVC msg=audit(1141573880.167:1940): avc: denied { setuid } for pid=29788 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability type=SYSCALL msg=audit(1141573880.167:1940): arch=c000003e syscall=117 success=yes exit=0 a0=30 a1=30 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=48 suid=0 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo" type=AVC msg=audit(1141573880.167:1941): avc: denied { setgid } for pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability type=SYSCALL msg=audit(1141573880.167:1941): arch=c000003e syscall=119 success=no exit=-1 a0=ffffffff a1=0 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
If I am reading these correctly, it appears that selinux is stopping sudo from executing the commands. Is there a way to get this to work without making the system insecure. The script is restricted to internal use but there are publicly accessible websites hosted on the machine.
Regards,
Tom
selinux@lists.fedoraproject.org