<\/p>\n
Apache + appel script \/bin\/irsend –> Cr\u00e9er module de contexte de s\u00e9curit\u00e9<\/p>\n
Lien https:\/\/forums.fedoraforum.org\/showthread.php?283129-selinux-to-allow-running-irsend-from-apache<\/p>\n
lien : https:\/\/relativkreativ.at\/articles\/how-to-compile-a-selinux-policy-package<\/p>\n
lien https:\/\/www.endpoint.com\/blog\/2013\/11\/20\/selinux-fix-for-sudo-pam<\/p>\n
<\/p>\n
Il n'est pas possible de mani\u00e8re simple d'autoriser le compte Apache \u00e0 faire du SUDO.<\/pre>\nIl faut dans un premier temps relever dans les logs le message qui interdit ce type d’action par SE LINUX :<\/p>\n
tail -f \/var\/log\/messages | grep SELinux<\/pre>\nExemple de R\u00e9sultat<\/p>\n
May 2 15:49:05 vdi-nx setroubleshoot: SELinux is preventing sudo from using the setgid capability. For complete SELinux messages run: sealert -l b0707f8a-b189-44bd-99ee-51ad426cc3b0<\/pre>\nrem : il est possible de voir avec plus de d\u00e9tails l’erreur dans le fichier \/var\/log\/audit\/audit.log<\/em><\/p>\n
Pour voir le d\u00e9tail, executer la commande indiqu\u00e9e :<\/p>\n
sealert -l b0707f8a-b189-44bd-99ee-51ad426cc3b0<\/pre>\nCe qui donne le r\u00e9sultat suivant :<\/p>\n
SELinux is preventing sudo from using the setgid capability.\r\n\r\n***** Plugin catchall (100. confidence) suggests **************************\r\n\r\nIf vous pensez que sudo devrait avoir des capacit\u00e9s setgid par d\u00e9faut.\r\nThen vous devriez rapporter ceci en tant qu'anomalie.\r\nVous pouvez g\u00e9n\u00e9rer un module de strat\u00e9gie local pour autoriser cet acc\u00e8s.\r\nDo\r\nallow this access for now by executing:\r\n# ausearch -c 'sudo' --raw | audit2allow -M my-sudo\r\n# semodule -i my-sudo.pp\r\n\r\n\r\nAdditional Information:\r\nSource Context system_u:system_r:httpd_sys_script_t:s0\r\nTarget Context system_u:system_r:httpd_sys_script_t:s0\r\nTarget Objects Unknown [ capability ]\r\nSource sudo\r\nSource Path sudo\r\nPort <Unknown>\r\nHost vdi-nx\r\nSource RPM Packages sudo-1.8.19p2-11.el7_4.x86_64\r\nTarget RPM Packages\r\nPolicy RPM selinux-policy-3.13.1-166.el7_4.9.noarch\r\nSelinux Enabled True\r\nPolicy Type targeted\r\nEnforcing Mode Enforcing\r\nHost Name vdi-nx\r\nPlatform Linux vdi-nx 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed\r\n Mar 7 19:03:37 UTC 2018 x86_64 x86_64\r\nAlert Count 80\r\nFirst Seen 2018-04-12 09:29:43 CEST\r\nLast Seen 2018-05-02 15:49:04 CEST\r\nLocal ID b0707f8a-b189-44bd-99ee-51ad426cc3b0\r\n\r\nRaw Audit Messages\r\ntype=AVC msg=audit(1525268944.858:15678): avc: denied { setgid } for pid=11884 comm=\"sudo\" capability=6 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability\r\n\r\n\r\ntype=SYSCALL msg=audit(1525268944.858:15678): arch=x86_64 syscall=setresgid success=no exit=EPERM a0=ffffffff a1=0 a2=ffffffff a3=7fa3525c0300 items=0 ppid=10046 pid=11884 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=sudo exe=\/usr\/bin\/sudo subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)\r\n\r\nHash: sudo,httpd_sys_script_t,httpd_sys_script_t,capability,setgid\r\n<\/pre>\nrem : la partie RAW audit message est \u00e9galement pr\u00e9sente dans \/var\/log\/audit\/audit.log<\/em><\/p>\n
En lisant c’est bien notre cas. Le contexte de s\u00e9curit\u00e9 httpd_sys_script_t n’est pas autoris\u00e9 \u00e0 utiliser la commande sudo<\/p>\n
On r\u00e9cup\u00e8re les lignes comprennant type= AVC et type = \u201cSYSCALL\u201d puis on les envoie dans un g\u00e9n\u00e9rateur de module audit2allow<\/p>\n
echo '\r\ntype=SYSCALL msg=audit(1525269643.375:15749): arch=c000003e syscall=119 success=no exit=-1 a0=ffffffff a1=0 a2=ffffffff a3=7f5ad39cd300 items=0 ppid=4974 pid=11974 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=\"sudo\" exe=\"\/usr\/bin\/sudo\" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)\r\ntype=AVC msg=audit(1525269643.375:15749): avc: denied { setgid } for pid=11974 comm=\"sudo\" capability=6 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability' | audit2allow -M Module_httpd_sudo\r\n<\/pre>\nCela g\u00e9n\u00e8re les fichiers suivants :<\/p>\n
4 -rw-r--r--. 1 root root 889 2 mai 16:08 Module_httpd_sudo.pp\r\n4 -rw-r--r--. 1 root root 187 2 mai 16:08 Module_httpd_sudo.te<\/pre>\nLe fichier MonModule.pp est la version binaire qui faudra charger.<\/p>\n
Le fichier MonModule.te est une version lisible du fichier binaire g\u00e9n\u00e9r\u00e9. Dans notre cas son contenu est le suivant :<\/p>\n
module Module_httpd_sudo 1.0;\r\n\r\nrequire {\r\n type httpd_sys_script_t;\r\n class capability setgid;\r\n}\r\n\r\n#============= httpd_sys_script_t ==============\r\nallow httpd_sys_script_t self:capability setgid;\r\n<\/pre>\nOn remarque bien que le contexte \u201chttpd_sys_script_t\u201d peut utiliser la fonctionnalit\u00e9 \u201csetgid\u201d. Ce qui devrait permettre au compte Apache de pouvoir utiliser la commande \u201csudo\u201d\u2026<\/p>\n
On int\u00e8gre le module :<\/p>\n
semodule -i MonModule.pp<\/pre>\nA l’issue il existe toujours un refus d’acc\u00e8s. C’est normal car plusieurs ouvertures de \u201cdroits\u201d sont n\u00e9cessaires. Pour prendre en compte le premier lot d’ouverture de droits, une m\u00e9thode plus rapide est \u00e0 suivre. Il faut retirer des logs tous les messages li\u00e9s \u00e0 \u201csudo\u201d puis prendre ce flux et l’envoyer \u00e0 la commande \u201caudit2allow\u201d qui va g\u00e9n\u00e9rer les 2 fichiers de modules<\/p>\n
# On enl\u00e8ve l'ancien module\r\nsemodule - R Module_httpd_sudo\r\n# Recherche dans le journal des logs et construction du module de s\u00e9curit\u00e9\r\nausearch -c 'sudo' --raw | audit2allow -M Module_httpd_sudo\r\n# int\u00e9gration du nouveau module\r\nsemodule -i Module_http_sudo<\/pre>\nMais l’ouverture de certains droits bloqu\u00e9s ouvre \u00e0 d’autres interdiction qu’il faut lever\u2026Il faut donc r\u00e9p\u00e9ter l’op\u00e9ration tant que des messages d’interdiction appara\u00eessent.<\/p>\n
Ainsi dans notre cas, le fichier de module (Module_httpd_sudo.te) va contenir les lignes suivantes :<\/p>\n
module Module_httpd_sudo2 1.0;\r\n\r\nrequire {\r\n type httpd_sys_script_t;\r\n class capability { setgid setuid sys_resource };\r\n class process setrlimit;\r\n class netlink_audit_socket create;\r\n}\r\n\r\n#============= httpd_sys_script_t ==============\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:capability { setgid setuid sys_resource };\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:netlink_audit_socket create;\r\nallow httpd_sys_script_t self:process setrlimit;\r\n<\/pre>\nMais \u00e0 ce stade ce n’est pas op\u00e9rationnel.<\/p>\n
En effet des erreurs apparaissent dans les fichiers \/var\/log\/httpd\/error_log<\/p>\n
sudo: unable to send audit message: Permission denied\r\nsudo: pam_open_session: System error\r\nsudo: policy plugin failed session initialization<\/pre>\nou \/var\/log\/secure<\/p>\n
May 4 15:14:25 vdi-nx sudo: PAM audit_log_acct_message() failed: Permission denied\r\nMay 4 15:14:25 vdi-nx sudo: apache : pam_open_session: System error ; TTY=unknown ; PWD=\/var\/www\/html ; USER=root ; COMMAND=prive\/donnees\/iptables_co<\/pre>\nAlors que que dans le fichier \u201c\/var\/log\/audit\/audit\u201d rien n’appara\u00eet !<\/strong><\/p>\n
En effet, par d\u00e9faut pas tous les acc\u00e8s SELinux refus\u00e9s sont logg\u00e9s. Il faut pour tous les voir activer la commande suivante :<\/p>\n
semodule -DB<\/pre>\nAinsi de nouvelles erreurs apparaissent :<\/p>\n
May 4 15:23:26 vdi-nx setroubleshoot: SELinux is preventing sudo from write access on the netlink_audit_socket Unknown. For complete SELinux messages run: sealert -l d33ac926-e867-4f11-b224-e3d0ad4d8388\r\nMay 4 15:23:26 vdi-nx python: SELinux is preventing sudo from write access on the netlink_audit_socket Unknown.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that sudo should be allowed write access on the Unknown netlink_audit_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sudo' --raw | audit2allow -M my-sudo#012# semodule -i my-sudo.pp#012\r\n\r\n\r\nil faut recompiler le module SE en prenant en compte ces nouveaux refus :\r\n<code>\r\nausearch -c 'sudo' --raw | audit2allow -M Module_httpd_sudo2<\/pre>\nMaintenant le fichier Module_httpd_sudo2.te contenu de nouvelles directives :<\/p>\n
module Module_httpd_sudo2 1.0;\r\n\r\nrequire {\r\n type httpd_sys_script_t;\r\n class capability { setgid setuid sys_resource };\r\n class process setrlimit;\r\n class netlink_audit_socket { create write };\r\n}\r\n\r\n#============= httpd_sys_script_t ==============\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:capability { setgid setuid sys_resource };\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:netlink_audit_socket create;\r\nallow httpd_sys_script_t self:netlink_audit_socket write;\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:process setrlimit;\r\n<\/pre>\nUne fois le module recharg\u00e9, d’autres refus apparaissent. Refaire l’op\u00e9ration tant que des refus sont remont\u00e9s.<\/p>\n
Les remont\u00e9es concernant \u201csudo\u201d disparraissent. Mais d’autres d’apparaissent. Elles concernent les commandes :<\/p>\n
\n
- \n
sh<\/div>\n<\/li>\n- \n
iptables<\/div>\n<\/li>\n- \n
unix_chkpwd<\/div>\n<\/li>\n<\/ul>\nConstruire les modules SE pour chacun suivant le m\u00eame processus que pour \u201csudo\u201d. (c’est long, une quinzaine de passages est n\u00e9cessaire).<\/p>\n
Les r\u00e8gles obtenus sont :<\/p>\n
Module_httpd_sudo2.te<\/strong><\/p>\n
module Module_httpd_sudo2 1.0;\r\n\r\nrequire {\r\n type httpd_sys_script_t;\r\n type httpd_sys_rw_content_t;\r\n class capability { audit_write setgid setuid sys_resource };\r\n class process setrlimit;\r\n class file { execute execute_no_trans };\r\n class netlink_audit_socket { create nlmsg_relay read write };\r\n}\r\n\r\n#============= httpd_sys_script_t ==============\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t httpd_sys_rw_content_t:file { execute execute_no_trans };\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:capability { audit_write setgid setuid sys_resource };\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:netlink_audit_socket { create nlmsg_relay read write };\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:process setrlimit;<\/pre>\nModule_httpd_sh.te :<\/p>\n
\r\nmodule Module_httpd_sh 1.0;\r\n\r\nrequire {\r\n type httpd_sys_script_t;\r\n type usermodehelper_t;\r\n type httpd_t;\r\n type sysctl_net_t;\r\n type setroubleshootd_t;\r\n type system_dbusd_t;\r\n class process { noatsecure rlimitinh siginh };\r\n class capability { dac_override dac_read_search net_admin };\r\n class dir search;\r\n class file { getattr open write };\r\n}\r\n\r\n#============= httpd_sys_script_t ==============\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:capability { dac_override dac_read_search net_admin };\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t sysctl_net_t:dir search;\r\nallow httpd_sys_script_t sysctl_net_t:file getattr;\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t sysctl_net_t:file { open write };\r\n#============= httpd_t ==============\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_t httpd_sys_script_t:process { noatsecure rlimitinh siginh };\r\n#============= setroubleshootd_t ==============\r\n#!!!! This avc is allowed in the current policy\r\nallow setroubleshootd_t usermodehelper_t:file getattr;\r\n#============= system_dbusd_t ==============\r\n#!!!! This avc is allowed in the current policy\r\nallow system_dbusd_t setroubleshootd_t:process { noatsecure rlimitinh siginh };\r\n<\/pre>\nModule_httpd_iptables.te<\/strong><\/p>\n
module Module_httpd_iptables 1.0;\r\n\r\nrequire {\r\n type proc_net_t;\r\n type iptables_var_run_t;\r\n type usermodehelper_t;\r\n type proc_t;\r\n type httpd_sys_script_t;\r\n class capability net_raw;\r\n class rawip_socket { create getopt setopt };\r\n class file { getattr lock open read };\r\n class filesystem getattr;\r\n}\r\n\r\n#============= httpd_sys_script_t ==============\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t iptables_var_run_t:file { lock open read };\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t proc_net_t:file getattr;\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t proc_t:filesystem getattr;\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:capability net_raw;\r\nallow httpd_sys_script_t self:rawip_socket setopt;\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t self:rawip_socket { create getopt };\r\n\r\n#!!!! This avc is allowed in the current policy\r\nallow httpd_sys_script_t usermodehelper_t:file { open read };\r\n<\/pre>\nModule_httpd_unix_chkpwd.te<\/strong><\/p>\n
module Module_httpd_unix_chkpwd 1.0;\r\n\r\nrequire {\r\n type chkpwd_t;\r\n type sshd_t;\r\n class process { noatsecure rlimitinh siginh };\r\n}\r\n\r\n#============= sshd_t ==============\r\nallow sshd_t chkpwd_t:process { noatsecure rlimitinh siginh };\r\n<\/pre>\nUne fois tous ces modules SELinux charg\u00e9s, les pages PHP peuvent executer un script bash en SUDO, script qui utilise la commande iptables<\/p>\n
Enfin il faut d\u00e9sactiver dans l’audit les logs de type \u201cdontaudit\u201d<\/p>\n
semodule -B<\/pre>\n","protected":false},"excerpt":{"rendered":"Apache + appel script \/bin\/irsend –> Cr\u00e9er module de contexte de s\u00e9curit\u00e9 Lien https:\/\/forums.fedoraforum.org\/showthread.php?283129-selinux-to-allow-running-irsend-from-apache lien : https:\/\/relativkreativ.at\/articles\/how-to-compile-a-selinux-policy-package lien https:\/\/www.endpoint.com\/blog\/2013\/11\/20\/selinux-fix-for-sudo-pam Il n’est pas possible de mani\u00e8re simple d’autoriser le compte Apache \u00e0 faire du SUDO. Il faut dans un<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-516","post","type-post","status-publish","format-standard","hentry","category-_systeme"],"_links":{"self":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/516","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=516"}],"version-history":[{"count":9,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/516\/revisions"}],"predecessor-version":[{"id":525,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=\/wp\/v2\/posts\/516\/revisions\/525"}],"wp:attachment":[{"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=516"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=516"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogperso.union31.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=516"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}