Selinux not deny-ing httpd a file with wrong context type

Support for security such as Firewalls and securing linux
Post Reply
cozsmin
Posts: 2
Joined: 2020/02/05 15:44:40

Selinux not deny-ing httpd a file with wrong context type

Post by cozsmin » 2020/02/05 16:05:16

Hello everybody ,

OS centos 7.6.1810
Kernel 3.10.0-957.5.1.el7.x86_64
httpd packages :

Code: Select all

[root@centos7 audit]# rpm -qa | grep http
httpd-tools-2.4.6-90.el7.centos.x86_64
httpd-2.4.6-90.el7.centos.x86_64
[root@centos7 audit]# 
Selinux packages :

Code: Select all

[root@centos7 audit]# rpm -qa | grep selinux
libselinux-utils-2.5-14.1.el7.x86_64
selinux-policy-minimum-3.13.1-229.el7_6.9.noarch
libselinux-python-2.5-14.1.el7.x86_64
libselinux-2.5-14.1.el7.x86_64
selinux-policy-3.13.1-229.el7_6.9.noarch
selinux-policy-targeted-3.13.1-229.el7_6.9.noarch
container-selinux-2.74-1.el7.noarch
selinux-policy-mls-3.13.1-229.el7_6.9.noarch
[root@centos7 audit]# 
So i was just testing the example given at "https://access.redhat.com/documentation ... ted_policy" from "Procedure 3.2. An Example of Confined Process" .

What i did was to create "/var/www/html/test_file" , and changed its context type to "samba_share_t"

Code: Select all

[root@centos7 audit]# ls -alZ /var/www/html/test_file 
-rw-r--r--. root root unconfined_u:object_r:samba_share_t:s0 /var/www/html/test_file
[root@centos7 audit]# 
"httpd" processes are running in context "system_u:system_r:httpd_t:s0"
Selinux is enabled and Enforcing , now by the tutorial , any attempt at fetching the test file should end in deny access .
But that is not the case :

Code: Select all

[root@centos7 audit]# curl http://localhost/test_file
zzz
[root@centos7 audit]# 
What is even stranger is that "/var/log/audit/audit.log" is saying that the file is denied from acces :

Code: Select all

type=AVC msg=audit(1580918034.472:175): avc:  denied  { read } for  pid=3422 comm="httpd" name="test_file" dev="dm-0" ino=52498405 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file permissive=1
type=AVC msg=audit(1580918034.472:175): avc:  denied  { open } for  pid=3422 comm="httpd" path="/var/www/html/test_file" dev="dm-0" ino=52498405 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file permissive=1
Once again the Selinux is enabled :

Code: Select all

[root@centos7 audit]# getenforce 
Enforcing
[root@centos7 audit]# 
The sebooleans involved with http are :

Code: Select all

[root@centos7 audit]# getsebool -a | grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
named_tcp_bind_http_port --> off
prosody_bind_http_port --> off
[root@centos7 audit]# 
What is wrong with my Selinux settings ?

I mean i just googled "selinux permissive=1" and that should mean i am running in "permissive" mode , NOT that is a lie , i have even tested on my ftp server , i have set "setsebool ftpd_full_access 0" and received error when trying to login to my ftp server .

Code: Select all

type=AVC msg=audit(1580918424.428:195): avc:  denied  { search } for  pid=15790 comm="vsftpd" name="pub" dev="dm-0" ino=1381223 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ftpd_exec_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1580918424.428:195): arch=c000003e syscall=80 success=no exit=-13 a0=55dfdff2a7f0 a1=0 a2=17 a3=7f9acc0702e0 items=0 ppid=15783 pid=15790 auid=4294967295 uid=0 gid=0 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
Does anyone know , this sounds like UFO or bug to me

User avatar
TrevorH
Forum Moderator
Posts: 28884
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux not deny-ing httpd a file with wrong context type

Post by TrevorH » 2020/02/05 17:18:04

type=AVC msg=audit(1580918034.472:175): avc: denied { read } for pid=3422 comm="httpd" name="test_file" dev="dm-0" ino=52498405 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file permissive=1
That says your system is in permissive mode.

Did you look at getsebool -a | grep http to see if you have set something that makes httpd permissive?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

cozsmin
Posts: 2
Joined: 2020/02/05 15:44:40

Re: Selinux not deny-ing httpd a file with wrong context type

Post by cozsmin » 2020/02/06 07:56:08

Hello TrevorH

The sebooleans involved with http are :

Code: Select all


[root@centos7 audit]# getsebool -a | grep http
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
named_tcp_bind_http_port --> off
prosody_bind_http_port --> off
[root@centos7 audit]# 

hunter86_bg
Posts: 2016
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Selinux not deny-ing httpd a file with wrong context type

Post by hunter86_bg » 2020/02/07 06:30:18

What is the output of:

Code: Select all

 semanage permissive --list

Post Reply

Return to “CentOS 7 - Security Support”