I have a web application which uses sudo to invoke python scripts as the
user under which the application runs (NO root access).? Is there any
reason why sudo would would require sys_ptrace access for this?? I only
get this violation intermittenly, and not with every call to sudo.?
Here's the violation:
Summary:
SELinux is preventing sudo (httpd_t) "sys_ptrace" to <Unknown>
(httpd_t).
Detailed Description:
SELinux denied access requested by sudo. It is not expected that this access is
required by sudo and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:httpd_t
Target Context system_u:system_r:httpd_t
Target Objects None [ capability ]
Source sudo
Source Path /usr/bin/sudo
Port <Unknown>
Host myhost.mydomain.com
Source RPM Packages sudo-1.7.2p1-29.el5_10
Target RPM Packages
Policy RPM selinux-policy-2.4.6-351.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name myhost.mydomain.com
Platform Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP
Fri Feb
24 22:06:09 UTC 2017 i686 i686
Alert Count 359
First Seen Tue Oct 8 09:24:50 2013
Last Seen Tue Aug 21 10:26:26 2018
Local ID 717eb9a4-cc7f-4ed1-b638-5db1a841abe4
Line Numbers
Raw Audit Messages
host=myhost.mydomain.com type=AVC msg=audit(1534872386.726:9642): avc: denied
{ sys_ptrace } for pid=8458 comm="sudo" capability=19
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0
tclass=capability
host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642):
arch=40000003 syscall=3 success=yes exit=166 a0=1a a1=b7ff4000 a2=400 a3=89cabf0
items=0 ppid=8979 pid=8458 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0
egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo"
exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null)
Thank You,
Nataraj
On 08/21/2018 12:27 PM, Nataraj wrote:> I have a web application which uses sudo to invoke python scripts as the > user under which the application runs (NO root access).? Is there any > reason why sudo would would require sys_ptrace access for this?? I only > get this violation intermittenly, and not with every call to sudo. > Here's the violation:Most likely you can just dontaudit this access.? sys_ptrace is often caused by processes trying to read content in /proc.> Summary: > > SELinux is preventing sudo (httpd_t) "sys_ptrace" to <Unknown> (httpd_t). > > Detailed Description: > > SELinux denied access requested by sudo. It is not expected that this access is > required by sudo and this access may signal an intrusion attempt. It is also > possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:httpd_t > Target Context system_u:system_r:httpd_t > Target Objects None [ capability ] > Source sudo > Source Path /usr/bin/sudo > Port <Unknown> > Host myhost.mydomain.com > Source RPM Packages sudo-1.7.2p1-29.el5_10 > Target RPM Packages > Policy RPM selinux-policy-2.4.6-351.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name myhost.mydomain.com > Platform Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP Fri Feb > 24 22:06:09 UTC 2017 i686 i686 > Alert Count 359 > First Seen Tue Oct 8 09:24:50 2013 > Last Seen Tue Aug 21 10:26:26 2018 > Local ID 717eb9a4-cc7f-4ed1-b638-5db1a841abe4 > Line Numbers > > Raw Audit Messages > > host=myhost.mydomain.com type=AVC msg=audit(1534872386.726:9642): avc: denied { sys_ptrace } for pid=8458 comm="sudo" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability > > host=myhost.mydomain.com type=SYSCALL msg=audit(1534872386.726:9642): arch=40000003 syscall=3 success=yes exit=166 a0=1a a1=b7ff4000 a2=400 a3=89cabf0 items=0 ppid=8979 pid=8458 auid=4294967295 uid=48 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sudo" exe="/usr/bin/sudo" subj=system_u:system_r:httpd_t:s0 key=(null) > > > Thank You, > > Nataraj > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
On Tue, Aug 21, 2018 at 12:27:53PM -0700, Nataraj wrote:> Source RPM Packages sudo-1.7.2p1-29.el5_10 > Policy RPM selinux-policy-2.4.6-351.el5 > Platform Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686CentOS 5 was end of life on 31 March, 2017. There have bee no updates for over a year. Might as well turn off SELinux, you're so behind on security updates it probably doesn't matter. -- Jonathan Billings <billings at negate.org>
On 08/21/2018 12:41 PM, Jonathan Billings wrote:> On Tue, Aug 21, 2018 at 12:27:53PM -0700, Nataraj wrote: >> Source RPM Packages sudo-1.7.2p1-29.el5_10 >> Policy RPM selinux-policy-2.4.6-351.el5 >> Platform Linux myhost.mydomain.com 2.6.18-419.el5 #1 SMP Fri Feb 24 22:06:09 UTC 2017 i686 i686 > CentOS 5 was end of life on 31 March, 2017. There have bee no > updates for over a year. > > Might as well turn off SELinux, you're so behind on security updates > it probably doesn't matter. >Thank you.? I'm well aware that CentOS 5 is eol, and hoping to replace this server soon.? I'm sitting here right now in heavy smoke (which has been going on since early June) in Northern Ca, just miles from huge fires and have spent the last 3 years rebuilding after damage in a 2015 fire.? It kind of shakes up ones life a little bit.? In the meantime, keeping selinux enabled helps me to keep the server from getting broken into.??? Since incoming services are limited for the most part to my userbase, I am doing very well so far.? There is no remote login access. Thank you, Nataraj
On Aug 21, 2018, at 1:27 PM, Nataraj <incoming-centos at rjl.com> wrote:> > I have a web application which uses sudo to invoke python scripts as the > user under which the application runs (NO root access).Why is the web app not running with that user?s permissions in the first place? If your answer is that it needs root access to bind to port 80, there are two common solutions: 1. Start the service as root, set up the port 80 listener, then drop privileges internally with getpwent(?myuser?) and setuid(my_uid). 2. Use an HTTP[S] proxy server, such as Apache with mod_proxy configured. Bind the actual web app to localhost and a high-numbered random port, then forward external port 80 hits to the internal service. This method has the additional advantage that you can use the path part of the URL to relieves the web app of having to serve hits for the static resources ? *.js, *.png, *.css? ? which can speed the application up.
On 08/21/2018 02:20 PM, Warren Young wrote:> On Aug 21, 2018, at 1:27 PM, Nataraj <incoming-centos at rjl.com> wrote: >> I have a web application which uses sudo to invoke python scripts as the >> user under which the application runs (NO root access). > Why is the web app not running with that user?s permissions in the first place? > > If your answer is that it needs root access to bind to port 80, there are two common solutions: > > 1. Start the service as root, set up the port 80 listener, then drop privileges internally with getpwent(?myuser?) and setuid(my_uid). > > 2. Use an HTTP[S] proxy server, such as Apache with mod_proxy configured. Bind the actual web app to localhost and a high-numbered random port, then forward external port 80 hits to the internal service. This method has the additional advantage that you can use the path part of the URL to relieves the web app of having to serve hits for the static resources ? *.js, *.png, *.css? ? which can speed the application up. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosThe php code runs as user apache under the webserver. If the php ran as the app users it would have full access to all of the data in the app. Using sudo the app can only invoke one specific python script (which is the command name in the sudoers file) to do what it needs to do, without having access to the rest of the apps data and other python scripts used by other functions in the app). Could be that I'm not seeing something, but this approach seems sensible to me, though I could be convinced otherwise if I could see where running the php as the app users, would make more sense. It could be that giving sudo sys_ptrace access could increase the risk to the security of the system, but giving the php code app user access, increases the risk of data compromise in the app. Thank You, Nataraj