Denial Msg - apache, mogrify, perl, cgi, postgres, setenforce delay

Sun Nov 22 16:39:41 UTC 2009

Hello all,

One of our developers has a fairly simple script that uploads an image to a server, via a cgi perl script. The box is Fedora 11, all up to date. He is using the CGI and the File::Basename perl modules. He is also using mogrify from the ImageMagick package to change the width of the uploaded file, and save it as a thumbnail. This is called in perl via system("mogrify $args"). This seems to succeed, as the thumbnail file is created and valid. Finally, a record is added to a postgresql database.

What's puzzling is that with SELinux in permissive mode, all goes as expected, with the following messages logged. With it set to enforcing, though, we get an error from postgresql about more expressions than target columns, with what appears to be the filehandle to the image.

>From /var/log/messages:

Nov 22 10:16:02 kilby setroubleshoot: SELinux is preventing mogrify (httpd_sys_script_t) "getsched" httpd_sys_script_t. For complete SELinux messages. run sealert -l 201e87d5-7250-4a96-a3ab-6b148b40f206

>From /var/log/audit/audit.log, these two:

type=AVC msg=audit(1258906560.216:220051): avc:  denied  { getsched } for  pid=31641 comm="mogrify" scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:system_r:httpd_sys_script_t:s0 tclass=process

type=SYSCALL msg=audit(1258906560.216:220051): arch=40000003 syscall=242 success=no exit=-13 a0=7b99 a1=80 a2=bfe5a490 a3=80 items=0 ppid=31638 pid=31641 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=433 comm="mogrify" exe="/usr/bin/mogrify" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

>From my apache.err.log, only when SELinux is set to enforcing:

[Sat Nov 21 17:08:27 2009] [error] [client 64.198.x.x] DBD::Pg::st execute failed: ERROR:  INSERT has more expressions than target columns at /www/website/htdocs/modules//dbfunc.pl line 23, <fh00001testpicture.jpg> line 192., referer: http://64.198.x.x/add-listing.cgi

So, a few questions:

1. I notice a somewhat random delay of 10 to 30 minutes before the script works after a "setenforce 0". Likewise, it takes some amount of time after a "setenforce 1" before the script breaks. Is there supposed to be a delay? This makes troubleshooting very difficult, because you don't really know if it's enforcing yet or not. I noticed this message in /var/log/messages, and thought it might be related to the delay: Nov 22 09:57:33 kilby dbus: Can't send to audit system: USER_AVC avc:  received setenforce notice (enforcing=1)#012: exe="?" (sauid=81, hostname=?, addr=?, terminal=?)

2. What is the "getsched" action that mogrify is attempting?

3. Why the httpd_sys_script_t context?

4. Should the file upload and mogrify be creating files with a httpd_sys_content_rw_t context? The "rw" read/write part I was a little concerned by.

5. Any idea why this is throwing a postgres error? I would have expected the mogrify to not work given the error messages in /var/log/messages and /var/log/audit/audit.log - but that works just fine. Plus, the INSERT seems to be just fine actually, as I have the developer spitting that out in the page that is returned.

Thanks in advance,

Jon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091122/c9098aac/attachment.htm>