HTTP Failing to Access User's File Through exec()

Please specify version of CentOS

Moderator: xeont

HTTP Failing to Access User's File Through exec()

Postby mleitch » Wed Dec 30, 2015 7:56 pm

I have a PHP web application calling an executable 'getSchedule' which reads a file in /home/user_Schedule/Data/Jan/d0.txt. It is failing to read the file because of SELinux.

If I run "setenforce 0' it can read the file. With 'setenforce 1' it can't.

I am running the web application logged in as 'mike'.

What do I need to do to get this to work with SELinux?

My OS:
CentOS 6.4
Kernel: 2.6.32-358.el6.x86_64

I have tried changing the types of the directories and the d0.txt file using
chcon -t httpd_sys_content_t ...
and this didn't work.

I have tried setting this boolean, and it didn't work.

setsebool -P httpd_enable_homedirs=1

The error message from /var/log/messages is shown below, with the commands I used inserted.

/var/log/messages
============================================================================

[root@SER_0 ~]# setenforce 0

Dec 30 11:02:33 SER_0 dbus: avc: received setenforce notice (enforcing=0)
Dec 30 11:02:33 SER_0 kernel: type=1404 audit(1451502153.115:127082): enforcing=0 old_enforcing=1 auid=500 ses=2
Dec 30 11:02:33 SER_0 dbus: avc: received setenforce notice (enforcing=0)
Dec 30 11:02:33 SER_0 dbus: avc: received setenforce notice (enforcing=0)
Dec 30 11:02:33 SER_0 dbus: avc: received setenforce notice (enforcing=0)




Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.489:127083): avc: denied { search } for pid=30774 comm="getSchedule" name="user_Schedule" dev=sda1 ino=25862298 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.489:127084): avc: denied { search } for pid=30774 comm="getSchedule" name="install" dev=sda1 ino=26411116 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.495:127085): avc: denied { setrlimit } for pid=30775 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.495:127086): avc: denied { sys_resource } for pid=30775 comm="sudo" capability=24 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.503:127087): avc: denied { create } for pid=30775 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.503:127088): avc: denied { nlmsg_relay } for pid=30775 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.503:127089): avc: denied { audit_write } for pid=30775 comm="sudo" capability=29 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.511:127090): avc: denied { sys_resource } for pid=30777 comm="sudo" capability=24 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=capability
Dec 30 11:02:37 SER_0 kernel: type=1400 audit(1451502157.545:127091): avc: denied { getattr } for pid=30782 comm="lsblk" path="/dev/sda1" dev=devtmpfs ino=6294 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file


->>> getSchedule works!!!!

[root@SER_0 ~]# setenforce 1

Dec 30 11:04:23 SER_0 kernel: __ratelimit: 14 callbacks suppressed
Dec 30 11:04:23 SER_0 kernel: type=1404 audit(1451502263.341:127099): enforcing=1 old_enforcing=0 auid=500 ses=2
Dec 30 11:04:23 SER_0 dbus: avc: received setenforce notice (enforcing=1)
Dec 30 11:04:23 SER_0 dbus: avc: received setenforce notice (enforcing=1)
Dec 30 11:04:23 SER_0 dbus: avc: received setenforce notice (enforcing=1)
Dec 30 11:04:23 SER_0 dbus: avc: received setenforce notice (enforcing=1)
Dec 30 11:04:23 SER_0 dbus: [system] Reloaded configuration


Dec 30 11:04:52 SER_0 kernel: type=1400 audit(1451502292.358:127100): avc: denied { search } for pid=30820 comm="getSchedule" name="user_Schedule" dev=sda1 ino=25862298 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:04:52 SER_0 kernel: type=1400 audit(1451502292.358:127101): avc: denied { search } for pid=30820 comm="getSchedule" name="user_Schedule" dev=sda1 ino=25862298 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:04:52 SER_0 kernel: type=1400 audit(1451502292.358:127102): avc: denied { search } for pid=30820 comm="getSchedule" name="user_Schedule" dev=sda1 ino=25862298 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:04:52 SER_0 kernel: type=1400 audit(1451502292.358:127103): avc: denied { search } for pid=30820 comm="getSchedule" name="mike" dev=sda1 ino=25232137 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:04:52 SER_0 kernel: type=1400 audit(1451502292.358:127104): avc: denied { search } for pid=30820 comm="getSchedule" name="mike" dev=sda1 ino=25232137 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir



->>> getSchedule fails


[root@SER_0 ~]# chcon -t httpd_sys_content_t /home/user_Schedule
[root@SER_0 ~]# chcon -t httpd_sys_content_t /home/user_Schedule/Data
[root@SER_0 ~]# chcon -t httpd_sys_content_t /home/user_Schedule/Data/Jan
[root@SER_0 ~]# chcon -t httpd_sys_content_t /home/user_Schedule/Data/Jan/d0.txt

Dec 30 11:06:57 SER_0 kernel: type=1400 audit(1451502417.784:127105): avc: denied { setrlimit } for pid=30849 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
Dec 30 11:06:57 SER_0 kernel: type=1400 audit(1451502417.791:127106): avc: denied { create } for pid=30849 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
Dec 30 11:06:57 SER_0 kernel: type=1400 audit(1451502417.792:127107): avc: denied { search } for pid=30848 comm="getSchedule" name="mike" dev=sda1 ino=25232137 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:07:00 SER_0 kernel: type=1400 audit(1451502420.919:127108): avc: denied { search } for pid=30848 comm="getSchedule" name="mike" dev=sda1 ino=25232137 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:07:00 SER_0 kernel: type=1400 audit(1451502420.919:127109): avc: denied { search } for pid=30848 comm="getSchedule" name="mike" dev=sda1 ino=25232137 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir


->>> getSchedule fails

[root@SER_0 ~]# chcon -t httpd_sys_content_t /home
Dec 30 11:09:12 SER_0 kernel: type=1400 audit(1451502552.852:127110): avc: denied { setrlimit } for pid=30895 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
Dec 30 11:09:12 SER_0 kernel: type=1400 audit(1451502552.856:127111): avc: denied { create } for pid=30895 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
Dec 30 11:09:12 SER_0 kernel: type=1400 audit(1451502552.856:127112): avc: denied { search } for pid=30894 comm="getSchedule" name="mike" dev=sda1 ino=25232137 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:09:17 SER_0 kernel: type=1400 audit(1451502557.860:127113): avc: denied { search } for pid=30894 comm="getSchedule" name="mike" dev=sda1 ino=25232137 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir
Dec 30 11:09:17 SER_0 kernel: type=1400 audit(1451502557.860:127114): avc: denied { search } for pid=30894 comm="getSchedule" name="mike" dev=sda1 ino=25232137 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir


->>> getSchedule fails

[root@SER_0 ~]# setsebool -P httpd_enable_homedirs=1


Dec 30 11:14:13 SER_0 kernel: type=1400 audit(1451502853.896:127118): avc: denied { setrlimit } for pid=31015 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
Dec 30 11:14:13 SER_0 kernel: type=1400 audit(1451502853.899:127119): avc: denied { create } for pid=31015 comm="sudo" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=netlink_audit_socket



->>> getSchedule fails
mleitch
 
Posts: 1
Joined: Wed Dec 30, 2015 7:46 pm

Return to SELinux for CentOS

Who is online

Users browsing this forum: No registered users and 1 guest
cron