selinux, httpd and sudo
Tom Diehl
tdiehl at rogueind.com
Sun Mar 5 16:16:14 UTC 2006
Hi all,
I have an el4 machine that I am trying to get a shell script working from a
php page with sudo. I can su to apache and execute the script using sudo but
when I try to execute the script from the php page I get the following avc's:
type=AVC msg=audit(1141573880.162:1935): avc: denied { setrlimit } for pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=process
type=SYSCALL msg=audit(1141573880.162:1935): arch=c000003e syscall=160 success=no exit=-13 a0=4 a1=7fbffff9a0 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.164:1936): avc: denied { read } for pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
type=SYSCALL msg=audit(1141573880.164:1936): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=1 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=CWD msg=audit(1141573880.164:1936): cwd="/var/www/adddomain"
type=PATH msg=audit(1141573880.164:1936): name="/etc/shadow" flags=101 inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141573880.165:1937): avc: denied { read } for pid=29788 comm="sudo" name="shadow" dev=dm-0 ino=51991 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:shadow_t tclass=file
type=SYSCALL msg=audit(1141573880.165:1937): arch=c000003e syscall=2 success=no exit=-13 a0=2a95e1302a a1=0 a2=1b6 a3=4 items=1 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=CWD msg=audit(1141573880.165:1937): cwd="/var/www/adddomain"
type=PATH msg=audit(1141573880.165:1937): name="/etc/shadow" flags=101 inode=51991 dev=fd:00 mode=0100400 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1141573880.165:1938): avc: denied { create } for pid=29788 comm="sudo" scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=netlink_route_socket
type=SYSCALL msg=audit(1141573880.165:1938): arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=3 a2=0 a3=7fbfffe901 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.166:1939): avc: denied { setgid } for pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.166:1939): arch=c000003e syscall=119 success=yes exit=0 a0=ffffffff a1=30 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.167:1940): avc: denied { setuid } for pid=29788 comm="sudo" capability=7 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.167:1940): arch=c000003e syscall=117 success=yes exit=0 a0=30 a1=30 a2=0 a3=7fbffff701 items=0 pid=29788 auid=0 uid=48 gid=48 euid=48 suid=0 fsuid=48 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
type=AVC msg=audit(1141573880.167:1941): avc: denied { setgid } for pid=29788 comm="sudo" capability=6 scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:httpd_sys_script_t tclass=capability
type=SYSCALL msg=audit(1141573880.167:1941): arch=c000003e syscall=119 success=no exit=-1 a0=ffffffff a1=0 a2=ffffffff a3=7fbffff701 items=0 pid=29788 auid=0 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 comm="sudo" exe="/usr/bin/sudo"
If I am reading these correctly, it appears that selinux is stopping sudo from
executing the commands. Is there a way to get this to work without making the
system insecure. The script is restricted to internal use but there are
publicly accessible websites hosted on the machine.
Regards,
Tom
More information about the fedora-selinux-list
mailing list