Paul Howarth wrote:
Daniel J Walsh wrote:
Jochen Wiedmann wrote:
Paul Howarth wrote:
The simplest fix might be to change the file context of this
particular
CGI script to httpd_unconfined_script_exec_t instead of
httpd_sys_script_t. That would effectively turn off SELinux protection
for that particular script.
The alternative approach of using audit2allow to create a local policy
to allow these capabilities would turn on these capabilities for *all*
of your CGI scripts, which IMHO would be worse than turning off
protection for just that one script (particularly if that script was
well-audited for security issues).
Ideally it would be easy to create a subclass of CGI scripts and
assign
special capabilities to those (I have a similar issue with FastCGI
scripts that need slightly more capabilities than regular CGI
scripts),
but that's beyond me at this moment.
As the script in question can indeed be called well-audited
(basically, it
just allows to trigger a certain action by calling another script with
fixed attributes), I have decided to go with
httpd_unconfined_script_exec_t.
That did the trick neatly.
Thanks very much,
Jochen
Another alternative might be to write your own module
Create three files
# cat >> myapache.te << _EOF
policy_module(myapache,1.0.0)
apache_content_template(myapache)
allow httpd_myapache_script_t self:capability setuid;
allow httpd_myapache_script_t self:process setrlimit;
_EOF
echo > myapache.if
# cat >> myapache.te << _EOF
That should be myapache.fc
/var/www/cgi-bin/myapache_script --
gen_context(system_u:object_r:httpd_myapache_script_exec_t,s0)
_EOF
Then build a policy module.
make -f /usr/share/selinux/devel/Makefile
semodule -i myapache.pp
restorecon -F -v /var/www/cgi-bin/myapache_script
Then try it out. Of course you might need additional rules.
I made something similar for my moin wiki running under mod_fcgid:
te file:
policy_module(apache, 0.2.1)
require {
type devpts_t;
type httpd_t;
type httpd_log_t;
type httpd_sys_script_exec_t;
type var_run_t;
};
# ==========================================================
# Create and use httpd_fastcgi_script_t for mod_fcgid apps
# ==========================================================
apache_content_template(fastcgi)
kernel_read_kernel_sysctls(httpd_fastcgi_script_t)
# Allow FastCGI applications to live alongside regular CGI apps
allow httpd_fastcgi_script_t httpd_sys_script_exec_t:dir {
search_dir_perms };
# Allow FastCGI applications to listen for FastCGI requests on their
# sockets and respond to them
allow httpd_fastcgi_script_t httpd_t:unix_stream_socket {
rw_stream_socket_perms };
# FastCGI application doing something to the httpd error log
dontaudit httpd_fastcgi_script_t httpd_log_t:file ioctl;
# Not sure what this is doing (happens when fastcgi scripts start)
dontaudit httpd_t devpts_t:chr_file ioctl;
# mod_fcgid setting attr of its socket dir
allow httpd_t var_run_t:dir setattr;
Why not create a context for its socket dir so you don't need this for
var_run?
fc file:
/srv/www/tips/cgi-bin/moin.fcgi --
gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
/var/www/tips/cgi-bin/moin.fcgi --
gen_context(system_u:object_r:httpd_fastcgi_script_exec_t,s0)
Paul.
I think it might be a good idea to add this (fastcgi that is) policy to
base. Have you tried to submit it upstream?
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
