I take the Fedora Core 5 in place to a Fedora Core 4. No problem with the instalation but I have a problem with a php script that call the sudo command.

In that script I call the system() function of php to make a iptables insertion. In the previous FC4 it works fine with the follow:

With the visudo I take access to apache user:
apache localhost=NOPASSWD:/sbin/iptables

In the php script I just call:
system("sudo /sbin/iptables -t nat -...");

In the FC5, when I try the iptables add as root all works fine. When I try:
root@fedora# sudo -u apache /sbin/iptables -t nat -...

I got an error that I fix with (it´s not required in FC4):
chmod +s /sbin/iptables

However in the php script the iptables command fail and in the /var/log/messages I get some messages like that:
'avc: denied { create } comm="sudo" scontext=system_v:system_r:httpd_sys_script_t:s0 tcontext=system_v:system_r:httpd_sys_script_t:s0 tclass=netlink_route_socket'

I have no idea what to do. :-(

This is SELinux denying Apache the right to use sudo. SELinux is an extra security layer for the Linux kernel partially developed by the NSA. By default Red hat ships a "targeted" policy that only interferes with a couple of commonly exploited service, Apache being one of them. You can either turn off SELinux or modify the policy to allow it to execute sudo. A quick Google search will help you figure out how to do this.

Be aware, though, that what you are doing is very dangerous and SELinux is denying it for good reason. Basically, even a small bug in your PHP script can lead to a system compromise if it can be exploited to pass unfiltered user data to thew iptables command string. I certainly hope that you are properly santizing input to your PHP script!

Thanks, I had found this one yesterday night after reading some docs of FC5. As I say this script is just for fun and I will never make some in a true server. But thanks the advice!

Best regards,

Max