User Isolation with mod fcgid on CentOS / Redhat 6 in SELinux Enforced by Murat Ozdemir

BidbWiki sitesinden
Atla: kullan, ara

Server Config:
+Centos 6.2
+Apache 2
+mod_fcgid ( wget (version may be changed in near future)
+Selinux (Security-Enhanced Linux) admin tools ( yum install policycoreutils-python )

After installation , vhost configuration in (httpd.conf) like;

<VirtualHost *:80>
SuexecUserGroup sablon sablon
        ServerAdmin admin@admin
        DocumentRoot "/var/www/sablon/public_html"
        ServerName sablon.domain
        ServerAlias www.sablon.domain
CustomLog "|/usr/sbin/rotatelogs /var/log/httpd/access_logs/domains/sablon.domain.%Y-%m-%d.log  86400" combined env=!dontlog
        php_admin_value upload_tmp_dir  /var/www/sablon/tmp
        <Directory "/var/www/sablon">
                Options -Indexes FollowSymLinks +ExecCGI
                 AllowOverride AuthConfig FileInfo
                Order allow,deny
                Allow from all
 <Directory "/var/www/sablon/public_html">
AddHandler fcgid-script .php
 Options +ExecCGI
 FcgidWrapper /var/www/sablon/cgi-bin/fcgid .php
Options ExecCGI

Also, this is the fcgid file on the FcgidWrapper path.

# Set desired PHP_FCGI_* environment variables.
# Example:
# PHP FastCGI processes exit after 500 requests by default.
# Replace with the path to your FastCGI-enabled PHP executable
exec /usr/bin/php-cgi

In general, with SELinux(Permissive), this configuration works with no problem. However, in our server environment SELinux is already in Enforced mode. Under these conditions, when we try to request the page, server returns 500 Internal Server Error to our browser. Also no log in audit.log file. Only classical these error logs in httpd's error log.

[Fri May 04 14:10:10 2012] [warn] [client] (104)Connection reset by peer: mod_fcgid: error reading data from FastCGI server
[Fri May 04 14:10:10 2012] [error] [client] Premature end of script headers: hGmO.php
X-Powered-By: PHP/5.3.3^M
Content-type: text/html

It was caused by SELinux, because SELinux does not permit suexec with log privileged user, normally.

Php cgi defunct.jpg

You can see easily in this figure that mod_cgi processes are zombie, and the php script requested no longer works.

To avoid, we add httpd_suexec_t in selinux permissive domain. It requires semanage tool which in policycoreutils-python.

To install semanage command on CentOS, RedHat

yum install policycoreutils-python

Well, to add httpd_suexec_t as permissive selinux domain

semanage permissive -a httpd_suexec_t 

It works.

Murat Ozdemir