ARTICLE AD BOX
I recently set up a fedora 44 server in a home lab. I started Apache on it and installed php and php-fpm. I put in /var/www/html a PHP website (SPIP).
All the files and folders of the website are owned by the apache user and have the security context system_u:object_r:httpd_sys_content:s0, except a few folders that have the system_u:object_r:httpd_sys_rw_content:s0 context.
I wanted to check if SELinux was indeed limiting the actions of an intruder should the worst happen. In order to test this, I put a simple webshell at the base of the /var/www/html folder. It calls the PHP function system with whatever you sent to the webshell as an argument. The webshell has the same security context as the other files.
To my surprise, the webshell runs smoothly, I can call binaries like sleep or touch. I had a look at the process tree and noticed that, when a command is sent to the webshell, one of the php-fpm processes, running in the httpd_t domain, had a child process running sh -c -- <command sent to the webshell>, also in the httpd_t domain.
My question is : how is this possible ? I was expecting this webshell to fail entirely since a process in the httpd_t domain cannot execute files of type bin_t. So how can php-fpm run the binary /bin/sh, which belongs to this type ? What am I missing ?
