SELinux is preventing $_POST variables on Amazon Linux 2

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
-1
down vote

favorite












I began playing with RPM based OSes and I am really impressed.



  1. Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.


  2. $_POST variables work when setenforce is set to permissive.


  3. My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.


  4. I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.


This is my code. It is index.php



<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>


And then on the same page, I write some php.



<?php
if(isset($_POST['hidden_value'])

/* Do the rest of your authentication math */


?>


Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.



PS It does redirect, but it redirects with the $_POST variable unset.










share|improve this question























  • Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
    – Ulrich Schwarz
    Dec 7 at 8:12










  • Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
    – hargut
    Dec 7 at 8:16










  • @ Mr. Schwarz How do I discover whether this is the case?
    – Cookie
    Dec 7 at 8:16











  • @ hargut. That folder does not exist in /var/log
    – Cookie
    Dec 7 at 8:19






  • 1




    Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable httpd_enable_cgi?
    – hargut
    Dec 7 at 8:20














up vote
-1
down vote

favorite












I began playing with RPM based OSes and I am really impressed.



  1. Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.


  2. $_POST variables work when setenforce is set to permissive.


  3. My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.


  4. I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.


This is my code. It is index.php



<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>


And then on the same page, I write some php.



<?php
if(isset($_POST['hidden_value'])

/* Do the rest of your authentication math */


?>


Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.



PS It does redirect, but it redirects with the $_POST variable unset.










share|improve this question























  • Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
    – Ulrich Schwarz
    Dec 7 at 8:12










  • Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
    – hargut
    Dec 7 at 8:16










  • @ Mr. Schwarz How do I discover whether this is the case?
    – Cookie
    Dec 7 at 8:16











  • @ hargut. That folder does not exist in /var/log
    – Cookie
    Dec 7 at 8:19






  • 1




    Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable httpd_enable_cgi?
    – hargut
    Dec 7 at 8:20












up vote
-1
down vote

favorite









up vote
-1
down vote

favorite











I began playing with RPM based OSes and I am really impressed.



  1. Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.


  2. $_POST variables work when setenforce is set to permissive.


  3. My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.


  4. I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.


This is my code. It is index.php



<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>


And then on the same page, I write some php.



<?php
if(isset($_POST['hidden_value'])

/* Do the rest of your authentication math */


?>


Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.



PS It does redirect, but it redirects with the $_POST variable unset.










share|improve this question















I began playing with RPM based OSes and I am really impressed.



  1. Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.


  2. $_POST variables work when setenforce is set to permissive.


  3. My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.


  4. I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.


This is my code. It is index.php



<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>


And then on the same page, I write some php.



<?php
if(isset($_POST['hidden_value'])

/* Do the rest of your authentication math */


?>


Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.



PS It does redirect, but it redirects with the $_POST variable unset.







linux selinux aws






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 7 at 8:14

























asked Dec 7 at 8:08









Cookie

92




92











  • Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
    – Ulrich Schwarz
    Dec 7 at 8:12










  • Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
    – hargut
    Dec 7 at 8:16










  • @ Mr. Schwarz How do I discover whether this is the case?
    – Cookie
    Dec 7 at 8:16











  • @ hargut. That folder does not exist in /var/log
    – Cookie
    Dec 7 at 8:19






  • 1




    Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable httpd_enable_cgi?
    – hargut
    Dec 7 at 8:20
















  • Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
    – Ulrich Schwarz
    Dec 7 at 8:12










  • Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
    – hargut
    Dec 7 at 8:16










  • @ Mr. Schwarz How do I discover whether this is the case?
    – Cookie
    Dec 7 at 8:16











  • @ hargut. That folder does not exist in /var/log
    – Cookie
    Dec 7 at 8:19






  • 1




    Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable httpd_enable_cgi?
    – hargut
    Dec 7 at 8:20















Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
Dec 7 at 8:12




Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
Dec 7 at 8:12












Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
Dec 7 at 8:16




Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
Dec 7 at 8:16












@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
Dec 7 at 8:16





@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
Dec 7 at 8:16













@ hargut. That folder does not exist in /var/log
– Cookie
Dec 7 at 8:19




@ hargut. That folder does not exist in /var/log
– Cookie
Dec 7 at 8:19




1




1




Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable httpd_enable_cgi?
– hargut
Dec 7 at 8:20




Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable httpd_enable_cgi?
– hargut
Dec 7 at 8:20










2 Answers
2






active

oldest

votes

















up vote
1
down vote













Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using



sudo getsebool -a | grep httpd


That's how I found out that there is a boolean called



httpd_can_network_connect_db


and that it was turned off.



I turned it on by using



sudo setsebool httpd_can_network_connect_db=1


If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.






share|improve this answer





























    up vote
    0
    down vote













    Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.



    Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.



    You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:



    # generate a custom policy
    grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
    # install that policy
    semodule -i yourapp.pp


    Whatever you do, don't go in production with SELinux turned off!



    Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4






    share|improve this answer






















    • awesome. Thanks.
      – Cookie
      Dec 7 at 9:12










    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486530%2fselinux-is-preventing-post-variables-on-amazon-linux-2%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote













    Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using



    sudo getsebool -a | grep httpd


    That's how I found out that there is a boolean called



    httpd_can_network_connect_db


    and that it was turned off.



    I turned it on by using



    sudo setsebool httpd_can_network_connect_db=1


    If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.






    share|improve this answer


























      up vote
      1
      down vote













      Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using



      sudo getsebool -a | grep httpd


      That's how I found out that there is a boolean called



      httpd_can_network_connect_db


      and that it was turned off.



      I turned it on by using



      sudo setsebool httpd_can_network_connect_db=1


      If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.






      share|improve this answer
























        up vote
        1
        down vote










        up vote
        1
        down vote









        Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using



        sudo getsebool -a | grep httpd


        That's how I found out that there is a boolean called



        httpd_can_network_connect_db


        and that it was turned off.



        I turned it on by using



        sudo setsebool httpd_can_network_connect_db=1


        If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.






        share|improve this answer














        Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using



        sudo getsebool -a | grep httpd


        That's how I found out that there is a boolean called



        httpd_can_network_connect_db


        and that it was turned off.



        I turned it on by using



        sudo setsebool httpd_can_network_connect_db=1


        If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Dec 7 at 9:10

























        answered Dec 7 at 8:59









        Cookie

        92




        92






















            up vote
            0
            down vote













            Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.



            Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.



            You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:



            # generate a custom policy
            grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
            # install that policy
            semodule -i yourapp.pp


            Whatever you do, don't go in production with SELinux turned off!



            Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4






            share|improve this answer






















            • awesome. Thanks.
              – Cookie
              Dec 7 at 9:12














            up vote
            0
            down vote













            Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.



            Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.



            You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:



            # generate a custom policy
            grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
            # install that policy
            semodule -i yourapp.pp


            Whatever you do, don't go in production with SELinux turned off!



            Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4






            share|improve this answer






















            • awesome. Thanks.
              – Cookie
              Dec 7 at 9:12












            up vote
            0
            down vote










            up vote
            0
            down vote









            Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.



            Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.



            You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:



            # generate a custom policy
            grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
            # install that policy
            semodule -i yourapp.pp


            Whatever you do, don't go in production with SELinux turned off!



            Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4






            share|improve this answer














            Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.



            Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.



            You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:



            # generate a custom policy
            grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
            # install that policy
            semodule -i yourapp.pp


            Whatever you do, don't go in production with SELinux turned off!



            Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Dec 7 at 12:20









            Rui F Ribeiro

            38.6k1479128




            38.6k1479128










            answered Dec 7 at 9:04









            znpy

            1344




            1344











            • awesome. Thanks.
              – Cookie
              Dec 7 at 9:12
















            • awesome. Thanks.
              – Cookie
              Dec 7 at 9:12















            awesome. Thanks.
            – Cookie
            Dec 7 at 9:12




            awesome. Thanks.
            – Cookie
            Dec 7 at 9:12

















            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486530%2fselinux-is-preventing-post-variables-on-amazon-linux-2%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?