Re: mediawiki AVC

Dominick Grift <domg472@xxxxxxxxx> · Wed, 11 Mar 2009 18:40:47 +0100

On Wed, 2009-03-11 at 10:01 -0700, Vadym Chepkov wrote:
> Hello,
> 
> mediawiki software has a following script, ImageMagick gets invoked using it:
> 
> $ cat /var/www/mediawiki/bin/ulimit4.sh 
> #!/bin/bash
> 
> ulimit -t $1 -v $2 -f $3
> eval "$4"
> 
> 
> I added 
> /var/www/mediawiki/bin/.*                          regular file       system_u:object_r:httpd_sys_script_exec_t:s0
> 
> into local policy. I receive the following AVC denial:
> 
> type=AVC msg=audit(1236789583.906:576443): avc:  denied  { read } for  pid=22724 comm="ulimit4.sh" path="eventpoll:[10101538]" dev=eventpollfs ino=10101538 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=file
> 
> audit2allow suggests the following:
> 
> allow httpd_sys_script_t httpd_t:file read;
> 
> but it doesn't seem right to me. I don't want to make it httpd_unconfined_script_exec_t, does anyone has a better suggestion? 
Looks like it wants to read some httpd process info. As far as i am
concerned you can allow this access with a local policy:

echo "avc: denied { read } for pid=22724 comm="ulimit4.sh"
path="eventpoll:[10101538]" dev=eventpollfs ino=10101538
scontext=user_u:system_r:httpd_sys_script_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=file" | audit2allow -M
myhttpdsysscript; /usr/sbin/semodule -i myhttpdsysscript.pp

Mind the line breaks.

to undo:semodule -r myhttpdsysscript

You can also run this script in a unique domain. This would require you
to write policy for it. Something like:

mkdir ~/mediawikiscript; cd ~/mediawikiscript;
echo "policy_module(mediawikiscript, 0.0.1)" > mediawikiscript.te
echo "apache_content_template(mediawikiscript) >> mediawikiscript.te
echo "allow httpd_mediawikiscript_script_t httpd_t:file read;"
echo "/var/www/mediawiki/bin/.*
gen_context(system_u:object_r:httpd_mediawikiscript_script_exec_t" >
mediawikiscript.fc

(watch the line breaks)

make -f /usr/share/selinux/devel/Makefile
semodule -i mediawikiscript.pp
restorecon -R -v /var/www/mediawiki/bin/

> Thank you.
> 
> Sincerely yours,
>   Vadym Chepkov
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list