Allowing httpd to run a bash script in /usr/bin/

Question

Migrating a system from CentOS6 to RHEL7 with SELinux running Enforced. A php script makes a call to /usr/bin/processdata.sh to generate some data behind the scenes. This worked fine with the old system but the php exec call chokes with SELinux set to enabled.

Here is the sh permission

-rwxrwx--x. root root unconfined_u:object_r:bin_t:s0 /usr/bin/process_data.sh 

This audit error is seen at the same time the php page is called:

ausearch -l -i | grep httpd

type=SYSCALL msg=audit(02/27/2016 14:07:52.662:23480) : arch=x86_64 syscall=socket success=no exit=-97(Address family not supported by protocol) a0=inet6 a1=SOCK_DGRAM a2=ip a3=0x672e76656473626e items=0 ppid=15686 pid=3852 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(02/27/2016 14:07:52.662:23480) : avc: denied { module_request } for pid=3852 comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

Here are my current httpd bools:

httpd_can_network_relay (off , off) Allow httpd to can network relay httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv httpd_can_network_connect_db (off , off) Allow httpd to can network connect db httpd_use_gpg (off , off) Allow httpd to use gpg httpd_dbus_sssd (off , off) Allow httpd to dbus sssd httpd_enable_cgi (on , on) Allow httpd to enable cgi httpd_verify_dns (off , off) Allow httpd to verify dns httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs httpd_anon_write (off , off) Allow httpd to anon write httpd_use_cifs (off , off) Allow httpd to use cifs httpd_enable_homedirs (off , off) Allow httpd to enable homedirs httpd_unified (off , off) Allow httpd to unified httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam httpd_run_stickshift (off , off) Allow httpd to run stickshift httpd_use_fusefs (off , off) Allow httpd to use fusefs httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap httpd_can_network_connect (on , on) Allow httpd to can network connect httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind httpd_tty_comm (off , off) Allow httpd to tty comm httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write httpd_graceful_shutdown (on , on) Allow httpd to graceful shutdown httpd_can_connect_ftp (off , off) Allow httpd to can connect ftp httpd_run_ipa (off , off) Allow httpd to run ipa httpd_read_user_content (off , off) Allow httpd to read user content httpd_use_nfs (off , off) Allow httpd to use nfs httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix httpd_tmp_exec (off , off) Allow httpd to tmp exec httpd_run_preupgrade (off , off) Allow httpd to run preupgrade httpd_manage_ipa (off , off) Allow httpd to manage ipa httpd_can_sendmail (on , on) Allow httpd to can sendmail httpd_builtin_scripting (on , on) Allow httpd to builtin scripting httpd_dbus_avahi (off , off) Allow httpd to dbus avahi httpd_can_check_spam (off , off) Allow httpd to can check spam httpd_can_network_memcache (off , off) Allow httpd to can network memcache httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler httpd_use_sasl (off , off) Allow httpd to use sasl httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files httpd_execmem (off , off) Allow httpd to execmem httpd_ssi_exec (off , off) Allow httpd to ssi exec httpd_use_openstack (off , off) Allow httpd to use openstack httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server httpd_setrlimit (off , off) Allow httpd to setrlimit 

Is something off in my selinux config that I'm not seeing?

Answer 1

Is something off in my selinux config that I'm not seeing?

What you show us of you SELinux config looks 'normal' but that's not to say it does not need adjusting to meet you specific workload.

What I would do here is put SELinux in permissive mode (setenforce 0 )and then cause auditd to start a new logfile ( kill -USR1 < PID of auditd >. Then go about your normal business. SELinux will generate messages for later analysis.

When you've run in permissive mode for 'some time' you can use the standard tools to investigate the SELinux messages.

The audit2why utility can shed some light on the logged messages and can also give advice on what to do, For example it has this to say about the snippet you have posted.

avc: denied { module_request } for pid=3852 comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system Was caused by: The boolean domain_kernel_load_modules was set incorrectly. Description: Allow all domains to have the kernel load modules Allow access by executing: # setsebool -P domain_kernel_load_modules 1 

As you are currently running in Enforcing mode only the first denial is logged if you were to fix that you will likely find more that's why you should run temporarily in Permissive mode, all denials get logged.

Sometimes audit2why isn't very helpful. In those cases a deeper understanding of SELinux can be helpful. For example you can run the audit log through audit2allow and generate a local policy which you can apply with semodule. This should though be carefully audited as you can give more away than you need to.

Answer 2

To allow lighttpd to execute files, enable the SELinux bool http_execmem.

Then change the file type to allow lighttpd to be executed: chcon system_u:object_r:httpd_exec_t:s0 [file].

Keep that change persistent in the kernel by using semanage fcontext -a -t httpd_exec_t [file].