Hi Vadym,
On 19/07/09 04:35, Vadym Chepkov wrote:
I have a script, executed by apache, which is running in httpd_svn_script_t domain. This script calls svn-mailer(bin_t) which in turns calls /usr/sbin/sendmail.sendmail(sendmail_exec_t) and since there is no transition defined, sendmail still runs in httpd_svn_script_t and I get humongous amount of avc's. What would be the proper rule to add to the local policy to make sendmail running in the proper domain, sendmail_t?
And for that matter if httpd_can_sendmail --> on, shouldn't it be happening automatically? Thank you.
Sincerely yours,
Vadym Chepkov
I'm just back off vacation and saw your email. Funnily enough I wrote an
svnmailer policy a few weeks ago, so it would be interesting to compare
notes:
I've actually split it into two modules, svnmailer for the policy
itself, and svnmailer-extras for additional interfaces needed in other
policy modules. I find this arrangement is easier to manage when getting
policy merged upstream.
I made my hook scripts httpd_sys_script_exec_t and transition from there
to httpd_svnmailer_script_t via a domtrans. The svn repository itself is
httpd_sys_content_rw_t.
Paul.
/usr/bin/svn-mailer -- gen_context(system_u:object_r:httpd_svnmailer_script_exec_t,s0)
/var/log/svnmailer(/.*)? gen_context(system_u:object_r:svnmailer_log_t,s0)
## <summary>policy for svn-mailer</summary>
########################################
## <summary>
## Execute a domain transition to run svn-mailer.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`svnmailer_domtrans',`
gen_require(`
type httpd_svnmailer_script_t, httpd_svnmailer_script_exec_t;
')
domain_auto_trans($1, httpd_svnmailer_script_exec_t, httpd_svnmailer_script_t)
allow httpd_svnmailer_script_t $1:fd use;
allow httpd_svnmailer_script_t $1:fifo_file rw_file_perms;
allow httpd_svnmailer_script_t $1:process sigchld;
')
########################################
## <summary>
## Allow the specified domain to manage
## svnmailer log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`svnmailer_manage_log',`
gen_require(`
type svnmailer_log_t;
')
logging_log_filetrans($1, svnmailer_log_t, { file dir })
manage_dirs_pattern($1, svnmailer_log_t, svnmailer_log_t)
manage_files_pattern($1, svnmailer_log_t, svnmailer_log_t)
')
policy_module(svnmailer,0.1.4)
########################################
#
# Declarations
#
# log files
type svnmailer_log_t;
logging_log_file(svnmailer_log_t)
# tmp files
type svnmailer_tmp_t;
files_tmp_file(svnmailer_tmp_t)
########################################
#
# svnmailer local policy
#
# Use of svnmailer requires httpd_enable_cgi to be set
#
# Underlying subversion repo is expected to be httpd_sys_content_rw_t
# (served via mod_dav_svn), with hooks directory and its contents
# labeled httpd_sys_script_exec_t
#
# svnmailer output should be redirected to svnmailer_log_t,
# e.g. in hooks/post-commit:
# /usr/bin/svn-mailer --commit --repository "${REPOS}" --revision "${REV}" \
# --background 2>>/var/log/svnmailer/my-repo.log
apache_content_template(svnmailer)
# log files
manage_dirs_pattern(httpd_svnmailer_script_t, svnmailer_log_t, svnmailer_log_t)
manage_files_pattern(httpd_svnmailer_script_t, svnmailer_log_t, svnmailer_log_t)
logging_log_filetrans(httpd_svnmailer_script_t, svnmailer_log_t, { file dir })
# tmp files
manage_dirs_pattern(httpd_svnmailer_script_t, svnmailer_tmp_t, svnmailer_tmp_t)
manage_files_pattern(httpd_svnmailer_script_t, svnmailer_tmp_t, svnmailer_tmp_t)
files_tmp_filetrans(httpd_svnmailer_script_t, svnmailer_tmp_t, { file dir })
# repository data lives in httpd-writable files and dirs
apache_read_sys_content(httpd_svnmailer_script_t)
apache_read_sys_content_rw(httpd_svnmailer_script_t)
# leaked file descriptors again (we need read access but not write)
apache_dontaudit_rw_sys_content_rw_files(httpd_svnmailer_script_t)
# svn-mailer looks for and does getattr on locale (in /usr/bin when it finds it)
corecmd_getattr_bin_files(httpd_svnmailer_script_t)
corecmd_read_bin_symlinks(httpd_svnmailer_script_t)
corecmd_search_bin(httpd_svnmailer_script_t)
# svn-mailer can act as an SMTP client...
corenet_tcp_connect_smtp_port(httpd_svnmailer_script_t)
corenet_sendrecv_smtp_client_packets(httpd_svnmailer_script_t)
# ... or it can send mail using /usr/sbin/sendmail
mta_send_mail(httpd_svnmailer_script_t)
########################################
## <summary>
## Read apache system read/write content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_read_sys_content_rw',`
gen_require(`
type httpd_sys_content_rw_t;
')
allow $1 httpd_sys_content_rw_t:dir list_dir_perms;
read_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
read_lnk_files_pattern($1, httpd_sys_content_rw_t, httpd_sys_content_rw_t)
')
########################################
## <summary>
## Do not audit attempts to read and write Apache
## system read/write content files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`apache_dontaudit_rw_sys_content_rw_files',`
gen_require(`
type httpd_sys_content_rw_t;
')
dontaudit $1 httpd_sys_content_rw_t:file { read write };
')
policy_module(svnmailer-extras, 0.0.9)
########################################
#
# svnmailer additional policy
# (for rules that should be in other modules)
#
require {
type httpd_t;
type httpd_sys_script_t;
}
# svnmailer is usually called from the post-commit hook of subversion
# using mod_dav_svn, which will be running in the httpd_sys_script_t domain
svnmailer_domtrans(httpd_sys_script_t)
# the log file can capture errors from httpd and svn-mailer
svnmailer_manage_log(httpd_sys_script_t)
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
