Redhat Apache fast-cgi selinux permissions

apache-2.2fastcgiredhatselinux

My apache installation is running php as fastcgi, and the virtual
hosts are pointing to /home//public_html.
and the fastcgi are home//cgi-bin/php.fcgi

the public_html setup with selinux was: 

/usr/sbin/setsebool -P httpd_enable_homedirs 1  
chcon -R -t httpd_sys_content_t /home/someuser/public_html

The owner and group are the user, for example the user "someuser": 

ls -all /home/someuser/cgi-bin/

drwxr-xr-x 2 someuser someuser 4096 Sep  7 13:14 .  
drwx--x--x 6 someuser someuser 4096 Sep  6 18:17 ..  
-rwxr-xr-x 1 someuser someuser  308 Sep  7 13:14 php.fcgi  

ls -all /home/someuser/public_html/ | greep info.php  
-rw-r--r--  1 someuser someuser     24 Sep  3 16:24 info.php

When is visits the site I get "Forbidden …" and the log said:

[Fri Sep 07 12:02:51 2012] [error] [client x.x.x.x] (13)Permission denied: access to /cgi-bin/php.fcgi/info.php denied

My selinux conf is: 

SELINUX=enforcing  
SELINUXTYPE=targeted  
SETLOCALDEFS=0

So I kill Selinux (SELINUX=disabled), reboot the system and everything works !!!!!

The problem is Selinux, I don't want disable Selinux.
I trying this with no success:

setsebool -P httpd_enable_cgi 1  
chcon -t httpd_sys_script_exec_t /home/someuser/cgi-bin/php.fcgi  
chcon -R -t httpd_sys_content_t /home/someuser/cgi-bin

Or maybe is better change Selinux
SELINUX=enforcing to SELINUX=permissive

And disable selinux for httpd ?
(I think I better find the correct configuration)

Thanks for any suggestion on this matter

My environment:

Red Hat Enterprise Linux Server release 5.8 (Tikanga)

Server version: Apache/2.2.3

PHP 5.1.6 (cli) (built: Jun 22 2012 06:20:25)
Copyright (c) 1997-2006 The PHP Group
Zend Engine v2.1.0, Copyright (c) 1998-2006 Zend Technologies

Some logs: 

ps -ZC httpd

LABEL                             PID TTY          TIME CMD 
system_u:system_r:httpd_t        2822 ?        00:00:00 httpd 
system_u:system_r:httpd_t        2823 ?        00:00:00 httpd  
system_u:system_r:httpd_t        2824 ?        00:00:00 httpd  
system_u:system_r:httpd_t        2825 ?        00:00:00 httpd  
system_u:system_r:httpd_t        2826 ?        00:00:00 httpd  
system_u:system_r:httpd_t        2836 ?        00:00:00 httpd  
system_u:system_r:httpd_t        2837 ?        00:00:00 httpd  
system_u:system_r:httpd_t        2838 ?        00:00:00 httpd  
system_u:system_r:httpd_t        2839 ?        00:00:00 httpd  
system_u:system_r:httpd_t        2840 ?        00:00:00 httpd

 getsebool -a | grep httpd  

allow_httpd_anon_write --> off  
allow_httpd_bugzilla_script_anon_write --> off  
allow_httpd_cvs_script_anon_write --> off  
allow_httpd_mod_auth_pam --> off  
allow_httpd_nagios_script_anon_write --> off  
allow_httpd_prewikka_script_anon_write --> off  
allow_httpd_squid_script_anon_write --> off  
allow_httpd_sys_script_anon_write --> off  
httpd_builtin_scripting --> on  
httpd_can_network_connect --> off  
httpd_can_network_connect_db --> off  
httpd_can_network_relay --> off  
httpd_can_sendmail --> on  
httpd_disable_trans --> off  
httpd_enable_cgi --> on  
httpd_enable_ftp_server --> off  
httpd_enable_homedirs --> on  
httpd_execmem --> off  
httpd_read_user_content --> off  
httpd_rotatelogs_disable_trans --> off  
httpd_setrlimit --> off  
httpd_ssi_exec --> off  
httpd_suexec_disable_trans --> off  
httpd_tty_comm --> on  
httpd_unified --> on  
httpd_use_cifs --> off  
httpd_use_nfs --> off

There is audit log

/var/log/audit/audit.log

type=SYSCALL msg=audit(1345834208.027:963): arch=c000003e syscall=4 success=no exit=-13 a0=2aaf1543e390 a1=7fff393c9510 a2=7fff393c9510 a3=2aaf1543bd58 items=0 ppid=27519 pid=27523 auid=517 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1345834208.027:964): avc: denied { getattr } for pid=27523 comm="httpd" path="/home/loemsera/public_html/index.php" dev=sda2 ino=4593912 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1345834208.027:964): arch=c000003e syscall=6 success=no exit=-13 a0=2aaf1543e470 a1=7fff393c9510 a2=7fff393c9510 a3=0 items=0 ppid=27519 pid=27523 auid=517 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1345834208.028:965): avc: denied { getattr } for pid=27523 comm="httpd" path="/home/loemsera/public_html/index.php" dev=sda2 ino=4593912 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file

Best Answer

Running FastCGI your way leaves a big security hole: the PHP interpreter is run as user "httpd" (at least I can't see anything about suexec here).

We have a working setup with SELinux and PHP as FastCGI here at CentOS 6, but it was really tricky to get everything working.

A few tips for the start:

  • you don't need to reboot to disable/enable selinux - just use the command "setenforce 0" or "setenforce 1" :)
  • always try to get everything working with SELinux disabled, then enable it and have a look at audit.log

Here we go:

  • enable suexec
  • change SELinux type for php.fcgi to httpd_fastcgi_script_exec_t
  • your FastCGI starter (php.fcgi) should not be writable by the user owning it (otherwise he can tweak many settings and limits). Give it the "immutable" flag: chattr +i php.fcgi

  • suexec has some trouble with FastCGI, so we have to make it permissive:

    yum install policycoreutils-python
semanage permissive -a httpd_suexec_t

Good luck!

Related Topic