You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2019-06-07 15:02:35

lagep
Member
Registered: 2019-06-07
Posts: 4

GLPI and SElinux httpd_execmem denied

Hello,

I'd like to ask for help with investigation of an audit log error message.

The SElinux reports a violation caused by the httpd process during a regular work in the GLPI application. But it seems to have no affect on an operation of the GLPI.

We do experience this kind of error in audit log files in versions 9.3.2 and 9.4.2. As it seems not to be related to a release version Im not sure where the cause could lie.
- apache / php config or extensions
- php scripts of GLPI application itself


Here is our configuration...
---
Version: GLPI     9.4.2
FusionInventory    9.4+1.1
Installation from TARBALL

PHP Version     PHP/7.2.19
PHP Extension     20170718
Zend Extension     320170718
Zend Engine     v3.2.
Zend OPcache     v7.2.19
Zend         opcache.protect_memory    0

Apache Version     Apache/2.4.6 (CentOS)
Apache API     20120211

CentOS Linux release 7.6.1810 (Core)
Linux kernel 3.10.0-957.12.2.el7.x86_64
---               


How we identified the issue...

# tail -n 999 /var/log/audit/audit.log |grep denied |grep httpd |tail 
type=AVC msg=audit(1559906044.971:414040): avc:  denied  { execmem } for  pid=13215 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

# grep SELinux /etc/httpd/logs/glpi/error.log
[Thu Jun 07 13:10:57.038237 2019] [core:notice] [pid 13215] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0

# ausearch -l -i | grep httpd
type=PROCTITLE msg=audit(06/07/2019 13:14:04.971:414040) : proctitle=/usr/sbin/httpd -d /etc/httpd_glpi -DFOREGROUND 
-
type=SYSCALL msg=audit(06/07/2019 13:14:04.971:414040) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied)
a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 
ppid=13202 pid=13215 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset 
comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) 
-
type=AVC msg=audit(06/07/2019 13:14:04.971:414040) : avc:  denied  { execmem } for  pid=13215 comm=httpd 
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 

# semanage boolean -l |grep httpd |grep mem
httpd_execmem                  (off  ,  off)  Allow httpd to execmem

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

Looking for answer...

The httpd_execmem is disabled by default. To allow httpd to execute files, enable the SELinux bool http_execmem. setsebool -P httpd_execmem 1

When enabled, this Boolean allows httpd to execute programs that require memory addresses that are both executable and writable.
Enabling this Boolean is not recommended from a security standpoint as it reduces protection against buffer overflows,
however certain modules and applications (such as Java and Mono applications) require this privilege.

This usually isn't something that happens to httpd by itself, this is something that your application, which httpd is running, has attempted to do. 
The real problem is that there is a memory region which can be written to and executed.  This will allow code injection.

A brief look to the GLPI documentation and google search up shows that the "execmem" policy should stay disabled.
Do you have any clue how to get rid of this audit reporting without just simply enable the respective semanage boolean?
I do believe GLPI and plugins don't need that functionality or do they?

I'd appreciate your insights,

Thank you.

Offline

#2 2019-06-07 16:07:52

remi
GLPI-DEV
From: Champagne
Registered: 2007-04-28
Posts: 7,127
Website

Re: GLPI and SElinux httpd_execmem denied

How was installed PHP ?

What is the value of  pcre.jit ?


Dév. Fedora 29 - PHP 5.6/7.0/7.1/7.2/7.3/7.4 - MariaDB 10.3 - GLPI master
Certifié ITILv3 - RPM pour Fedora, RHEL et CentOS sur https://blog.remirepo.net/

Offline

#3 2019-06-07 16:23:37

lagep
Member
Registered: 2019-06-07
Posts: 4

Re: GLPI and SElinux httpd_execmem denied

PHP was installed by package managmeet from centos repository.

The pcre.jit both values Local/Master are set to 1.

Offline

#4 2019-06-07 16:41:38

lagep
Member
Registered: 2019-06-07
Posts: 4

Re: GLPI and SElinux httpd_execmem denied

# grep 'pcre.jit' /etc/php*
grep: /etc/php.d: Is a directory
/etc/php.ini:                   ## here, no definition at all.
/etc/php.ini.rpmnew:pcre.jit=0  ## defined but this conf file was not used.

Okay, I'm getting the point.

As I've read this "This takes away the vulnerability at the cost of slower execution"  ...is save for the application run to turn it off, then?

Thanks.

Offline

#5 2019-06-08 06:51:41

remi
GLPI-DEV
From: Champagne
Registered: 2007-04-28
Posts: 7,127
Website

Re: GLPI and SElinux httpd_execmem denied

> PHP was installed by package managmeet from centos repository.

No.
CentOS repository don"t Have 7.2  (well, centos-scl haveit, but as software collections)

> As I've read this "This takes away the vulnerability at the cost of slower execution"  ...is save for the application run to turn it off, then?

Yes, always used the provided configuration (so the .rpmnew), which is designed to work... and NEVER change the php.ini to avoid such issue on update (create php.d/something.ini for your settings)

Last edited by remi (2019-06-08 06:52:52)


Dév. Fedora 29 - PHP 5.6/7.0/7.1/7.2/7.3/7.4 - MariaDB 10.3 - GLPI master
Certifié ITILv3 - RPM pour Fedora, RHEL et CentOS sur https://blog.remirepo.net/

Offline

#6 2019-06-08 06:53:50

remi
GLPI-DEV
From: Champagne
Registered: 2007-04-28
Posts: 7,127
Website

Re: GLPI and SElinux httpd_execmem denied

> Installation from TARBALL

and also use the RPM of GLPI, which provide out-of-the-box SElinux integration.

Last edited by remi (2019-06-08 06:54:15)


Dév. Fedora 29 - PHP 5.6/7.0/7.1/7.2/7.3/7.4 - MariaDB 10.3 - GLPI master
Certifié ITILv3 - RPM pour Fedora, RHEL et CentOS sur https://blog.remirepo.net/

Offline

#7 2019-06-10 07:55:19

lagep
Member
Registered: 2019-06-07
Posts: 4

Re: GLPI and SElinux httpd_execmem denied

Okay, understood.

I do appreciate your help in this.
Thanks for all your answers.

Offline

Board footer

Powered by FluxBB