On Thu, Jul 22, 2010 at 02:16:16PM -0600, Erinn Looney-Triggs wrote:
> In trying to develop some SELinux exceptions (via audit2allow) for a
> ruby application I came up with the following:
>
> module myruby 1.0;
>
> require {
> type httpd_tmp_t;
> type lib_t;
> type httpd_t;
> type tmp_t;
> class sock_file { write create unlink getattr setattr };
> class capability { fowner fsetid };
> class file { read getattr execute_no_trans };
> class fifo_file { create unlink getattr setattr };
> }
>
> #============= httpd_t ==============
> allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr };
> allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr };
> allow httpd_t lib_t:file execute_no_trans; #This one is due to
> mod_passenger being labelled lib_t
> allow httpd_t self:capability { fowner fsetid };
> allow httpd_t tmp_t:file { read getattr };
>
> Now the first question I have, is there anything egregiously bad in
> there? Aside from lib_t execute due to auto label labelling
> mod_passenger as lib_t.
>
> My second question is, I have this policy working on one machine, moved
> it to another machine and everything worked, this application was then
> deployed on a third machine and I figured, I would just insert the
> module again. Well installing the module worked fine but apache is
> trying to use a different type on this machine, from audit2allow:
>
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t devpts_t:chr_file { read write };
> allow httpd_sys_script_t httpd_tmp_t:fifo_file setattr;
> allow httpd_sys_script_t self:capability { setuid setgid };
>
> Why all the sudden is this machine using httpd_sys_script_t instead of
> httpd_t which my other systems use? All the boxes are RHEL 5.5 x64 fully
> patched running selinux-policy-2.4.6-279.el5. Now it is possible that
> the myruby.pp module mentioned above is working just fine, but why then
> would this one system need these extra privileges? Exact same codebase
> for the ruby application across the systems. Any insight would be
> appreciated.
Not sure but it is likely due to labelling of the the modpassenger files or/and your boolean configuration.
Basically the httpd system script domain has less privileges. But the fact that httpd_t can transition when running mod-passenger offers
some possibilities. ( you could make httpd transition to a private domain for mod passenger, that way you do not have to modify the httpd or httpd system script domains to allow them more privileges.
The privileges for httpd_t do not look too bad. you could label the lib with tyoe bin_t that way it can be executed. httpd managing
socks and pipes is not so bad either. The capabilities however, should be prevented whenever possible.
Especially the setuidlgetgid for the httpd sys domain. Also the httpd system script writing to pseudo terminals in something that i would probably try to prevent.
I would (i think i actually write policy for mod_passenger before: but i dont have it anymore) make httpd_t transition to a private passenger domain and give that domain the required privileges.
I could help you create a module for this if youre interested.
>
> Thanks,
> -Erinn
>
>
>
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Attachment:
pgp8C58DcufAL.pgp
Description: PGP signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
