On Mon, 2006-05-15 at 14:23 -0400, Daniel J Walsh wrote:
> Paul Howarth wrote:
> > I've just moved my personal moin wiki from mod_python to FastCGI for
> > performance reasons (it's well worth it!). For people that don't know,
> > FastCGI works by starting up one or more copies of a CGI application
> > and then keeping them running, passing requests from server to
> > application over a socket. This avoids the startup overhead of the CGI
> > application for each request that is necessary with regular CGI.
> >
> > I needed the policy module below to get it working. I'm not sure what
> > exactly all of the "allows" are allowing, so advice would be welcome
> > (sample AVCs included).
> >
> > Regarding support for FastCGI in the standard policy, perhaps
> > appropriate rules could be added under a boolean httpd_enable_fastcgi
> > or even added to the features enabled with httpd_enable_cgi?
> >
> > policy_module(apache, 0.1.0)
> >
> > require {
> > type httpd_sys_script_t;
> > type httpd_log_t;
> > type httpd_t;
> > type devpts_t;
> > type var_run_t;
> > };
> >
> > # ==========================================================
> > # Needed for mod_fcgid
> > # ==========================================================
> >
> > # This is the FastCGI application doing something to the httpd error log
> > # ----------------------------------------------------------------------
> > #type=AVC msg=audit(1147697748.197:15226): avc: denied { ioctl } for
> > pid=15684 comm="python" name="error_log" dev=dm-4 ino=851988
> > scontext=user_u:system_r:httpd_sys_script_t:s0
> > tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
> > #type=SYSCALL msg=audit(1147697748.197:15226): arch=40000003
> > syscall=54 success=no exit=-25 a0=1 a1=5401 a2=bffd4cf8 a3=bffd4d38
> > items=0 pid=15684 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> > fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> > #type=AVC_PATH msg=audit(1147697748.197:15226):
> > path="/var/log/httpd/error_log"
> > allow httpd_sys_script_t httpd_log_t:file ioctl;
> Would dontaudit work?
It appears to, yes.
> > # This is the FastCGI application listening for FastCGI requests on
> > its socket
> > allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr
> > ioctl listen };
> >
> Might be worth creating a new type for this httpd_fastcgi_script_t???
Probably, yes. I found after turning on enforcing mode that I needed:
# This is the FastCGI application listening for FastCGI requests on its
socket and communicating
allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr
ioctl listen read write };
> > # Not sure what this is doing
> > # ---------------------------
> > #type=AVC msg=audit(1147699050.131:15341): avc: denied { ioctl } for
> > pid=16705 comm="httpd" name="2" dev=devpts ino=4
> > scontext=user_u:system_r:httpd_t:s0
> > tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file
> > #type=SYSCALL msg=audit(1147699050.131:15341): arch=40000003
> > syscall=54 success=yes exit=0 a0=0 a1=5401 a2=bff4ee38 a3=bff4ee78
> > items=0 pid=16705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
> > #type=AVC_PATH msg=audit(1147699050.131:15341): path="/dev/pts/2"
> > allow httpd_t devpts_t:chr_file ioctl;
> > # perhaps it should be term_ioctl_generic_ptys(httpd_t)
> Should probably be dontaudit. term_dontaudit_use_generic_ptys(httpd_t)
> ioctl not handled by this right now, but it would probably have been
> prevented if you were not
> running in permissive mode.
dontaudit seems to be OK here too.
> > # mod_fcgid setting attr of its socket dir
> > # ---------------------------------------- # type=AVC
> > msg=audit(1147697688.037:15216): avc: denied { setattr } for
> > pid=15656 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818
> > scontext=user_u:system_r:httpd_t:s0
> > tcontext=system_u:object_r:var_run_t:s0 tclass=dir # type=SYSCALL
> > msg=audit(1147697688.037:15216): arch=40000003 syscall=212 success=yes
> > exit=0 a0=91aa148 a1=30 a2=ffffffff a3=30 items=1 pid=15656
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
> > # type=CWD msg=audit(1147697688.037:15216): cwd="/" # type=PATH
> > msg=audit(1147697688.037:15216): item=0
> > name="/etc/httpd/run/mod_fcgid" flags=1 inode=458818 dev=fd:04
> > mode=040755 ouid=48 ogid=48 rdev=00:00
> > allow httpd_t var_run_t:dir setattr;
> >
> What dir is it doing this to? Should this directory be labeled
> httpd_var_run_t?
Yes, it should. /etc/httpd/run is a symlink to /var/run; I've created a
directory /var/run/mod_fcgid, which gets labelled var_run_t by default,
and mod_fcgid creates and uses sockets in that directory to communicate
with FastCGI applications, and these sockets get labelled
httpd_var_run_t, which I think is OK. If you can think of a better place
for this directory, let me know.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
