Any SElinux expert here - briefly:
# getenforce
Enforcing
# sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t
<no output>
# sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t
<no output>
# ls -laZ /etc/sysctl.conf /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf
-rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf
# ausearch -m avc --start recent
type=SYSCALL msg=audit(1536457230.922:85): arch=c000003e syscall=6 success=no
exit=-13 a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362
pid=1364 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) ses=4294967295 comm="php-fpm"
exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1536457230.922:85): avc: denied { getattr } for pid=1364
comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file
My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both
no rule are found (sesearch above). So, why the script can read sysctl.conf?
--
Thanks,
LF
On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote:> Any SElinux expert here - briefly: > > > # getenforce > Enforcing > > # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t > <no output> > > # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t > <no output> > > # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf > -rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf > -rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf > > # ausearch -m avc --start recent > type=SYSCALL msg=audit(1536457230.922:85): arch=c000003e syscall=6 success=no exit=-13 a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362 pid=1364 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null) > type=AVC msg=audit(1536457230.922:85): avc: denied { getattr } for pid=1364 comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file > > > My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both > no rule are found (sesearch above). So, why the script can read sysctl.conf? > > -- > Thanks, > LF > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosBecause almost no apache servers would normally be walking through /etc reading configuration files.? Do you scripts actually need to read these config files?
Am 09.09.2018 um 14:49 schrieb Daniel Walsh <dwalsh at redhat.com>:> > On 09/08/2018 09:50 PM, Leon Fauster via CentOS wrote: >> Any SElinux expert here - briefly: >> >> # getenforce >> Enforcing >> >> # sesearch -ACR -s httpd_t -c file -p read |grep system_conf_t >> <no output> >> >> # sesearch -ACR -s httpd_t -c file -p read |grep syslog_conf_t >> <no output> >> >> # ls -laZ /etc/sysctl.conf /etc/rsyslog.conf >> -rw-r--r--. root root system_u:object_r:syslog_conf_t:s0 /etc/rsyslog.conf >> -rw-r--r--. root root system_u:object_r:system_conf_t:s0 /etc/sysctl.conf >> >> # ausearch -m avc --start recent >> type=SYSCALL msg=audit(1536457230.922:85): arch=c000003e syscall=6 success=no exit=-13 a0=7fff6460dcf0 a1=7fff6460dbe0 a2=7fff6460dbe0 a3=11 items=0 ppid=1362 pid=1364 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null) >> type=AVC msg=audit(1536457230.922:85): avc: denied { getattr } for pid=1364 comm="php-fpm" path="/etc/rsyslog.conf" dev=dm-0 ino=138287 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:syslog_conf_t:s0 tclass=file >> >> >> My test PHP script can read /etc/sysctl.conf but not /etc/rsyslog.conf. For both >> no rule are found (sesearch above). So, why the script can read sysctl.conf? >> > > Because almost no apache servers would normally be walking through /etc reading > configuration files. Do you scripts actually need to read these config files?Normally, sure - but a malicious developer (or attacker) will do. So, I'm evaluating different approaches to secure our platform. Its possible to limit fs access in PHP but this comes with a massive performance penalty. Well, I do not want to discuss that all "etc_t" files can be read but why sysctl.conf with "system_conf_t" type can be read where it shouldn't?? Any pointer would be greatly appreciated. -- LF