2

I have a php script that runs in an apache serveron a RHEL5 installation. This script runs an exec on "rpm -q --info packagename".

The thing is that it works properly with selinux in permissive mode, but not when it's fully enabled. So I assume it's a selinux issue.

I've started out with the audit2allow to create rules based on the denied entries i've found, but now there is no more denied in the audit logs, but it still doesn't run with the selinux enabled.

In my world it seems it queries the system if it would be allowed to run, and when selinux say "if you try this, I will stop you". So the system does not run the exec. If it would, i assume i would get a "denied" that i could create a new selinux rule based upon. With selinux in permissive, i don't get any denied either, but it works..

So it seems I will have to deal with this the hard way and create a custom rule for selinux. Said and done I made one:

module php_rpm 1.0;

require {
    type httpd_t;
    type bin_t;
    type rpm_exec_t;
    type rpm_var_lib_t;
    class file { execute execute_no_trans getattr read execmod };
    class dir { getattr search };
}

#============= httpd_t ==============
allow httpd_t rpm_exec_t:file { execute execute_no_trans getattr read execmod };
allow httpd_t rpm_var_lib_t:dir { getattr search };

Unfortunally this did nothing to my problem but assumingly messing up my selinux rules a bit :P

Have anyone out there attempted to execute rpm from php with selinux enabled and got away with it?

S the Novice
  • 31
  • 2

1 Answers1

1

I did find a way to solve it. Perhaps not the best way, but it's a bit on the way.

The reason my audit2allow did not work was because not all messages were shown in the audit-log. I activated it to show all logs once i read this: http://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3028826

Once I got more denied-messages in the logs, I could figure out what to do to make it work.

The final te-file looks like this:

module php_rpm 1.0;

require {
    type selinux_config_t;
    type httpd_script_exec_t;
    type security_t;
    type httpd_t;
    type rpm_exec_t;
    type rpm_var_lib_t;
    class dir { search getattr };
    class file { getattr read execute_no_trans execute lock };
}

#============= httpd_t ==============
allow httpd_t httpd_script_exec_t:file { read getattr execute_no_trans };
allow httpd_t rpm_exec_t:file { read getattr execute_no_trans execute };
allow httpd_t rpm_var_lib_t:dir { getattr search };
allow httpd_t rpm_var_lib_t:file { read getattr lock };
allow httpd_t security_t:dir search;
allow httpd_t security_t:file read;
allow httpd_t selinux_config_t:dir search;
allow httpd_t selinux_config_t:file { read getattr };

I have a feeling it's a bit of an open door here, so I will still try to tighten this down some how. But the SELINUX-rules weren't my primary concern here, but it comes secondary.

If any one have a better suggestion, maybe a more specific rule for this, please feel free to share it!

S the Novice
  • 31
  • 2