Re: Sample Passenger/Rails policy for review

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/19/2010 03:26 PM, Moray Henderson wrote:
> Dominick Grift wrote:
>>> I still get denials when apache starts or stops:
>>>
>>> type=AVC msg=audit(1282212879.945:6710639): avc:  denied  { fowner }
> for
>>> pid=10440 comm="chmod" capability=3
> scontext=user_u:system_r:httpd_t:s0
>>> tcontext=user_u:system_r:httpd_t:s0 tclass=capability
>>> type=SYSCALL msg=audit(1282212879.945:6710639): arch=40000003
> syscall=15
>>> success=no exit=-1 a0=91d95ec a1=9c0 a2=8051614 a3=0 items=0
> ppid=10439
>>> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>> type=AVC msg=audit(1282212879.946:6710640): avc:  denied  { fowner }
> for
>>> pid=10440 comm="chmod" capability=3
> scontext=user_u:system_r:httpd_t:s0
>>> tcontext=user_u:system_r:httpd_t:s0 tclass=capability
>>> type=SYSCALL msg=audit(1282212879.946:6710640): arch=40000003
> syscall=15
>>> success=no exit=-1 a0=91d96a4 a1=9c0 a2=8051614 a3=0 items=0
> ppid=10439
>>> pid=10440 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>> fsgid=0 tty=pts0 ses=404 comm="chmod" exe="/bin/chmod"
>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>
>> So something running in the httpd_t domain wants to change file
>> ownership of some object.
>>
>> Still wondering what is running in the httpd_t domain that ran chmod,
>> and on which object did it run it.
> 
> I think I've found it.  It's in the mod_passenger library, which is
> currently 
> 
> -rwxrwxr-x  root root system_u:object_r:httpd_modules_t
> /usr/lib/httpd/modules/mod_passenger.so
> 
> There are a couple of functions there that deal with creation and
> deletion of FIFOs and mention chmod.  As it's loaded by the master
> apache daemon, I didn't think we could tweak its permissions.
> Everything seems to work - is there a problem?

see what happens when you label it with the passenger executable type.
httpd_myapp_script_exec_t.

The problem is that we do not want to have to extend httpd_t policy if
we do not have to.
> 
> static void
> createNonWritableFifo(const string &filename) {
>     int ret, e;
>     bool ignoreChmodErrors = false;
> 
>     do {
> 	ret = mkfifo(filename.c_str(), 0);
>     } while (ret == -1 && errno == EINTR);
>     if (ret == -1) {
> 	if (errno == EEXIST) {
> 	    /* The FIFO file was likely created by root, but after
> lowering
> 	     * privilege createPassengerTempDir() is called again, and
> this
> 	     * time we won't be able to set permissions. So in this case
> 	     * we'll want to ignore any chmod errors.
> 	     */
> 	    ignoreChmodErrors = geteuid() != 0;
> 	} else {
> 	    e = errno;
> 	    throw FileSystemException("Cannot create FIFO file " +
> filename,
> 			    e, filename);
> 	}
>     }
> 
>     do {
> 	ret = chmod(filename.c_str(), 0);
>     } while (ret == -1 && errno == EINTR);
>     if (ret == -1 && !ignoreChmodErrors) {
> 	e = errno;
> 	throw FileSystemException("Cannot set permissions on file " +
> filename, e, filename);
>     }
> }
> 
> void
> removeDirTree(const string &path) {
>     char command[PATH_MAX + 30];
>     int result;
> 
>     snprintf(command, sizeof(command), "chmod -R u+rwx \"%s\"
> 2>/dev/null", path.c_str());
>     command[sizeof(command) - 1] = '\0';
>     do {
> 	result = system(command);
>     } while (result == -1 && errno == EINTR);
> 
>     snprintf(command, sizeof(command), "rm -rf \"%s\"", path.c_str());
>     command[sizeof(command) - 1] = '\0';
>     do {
> 	result = system(command);
>     } while (result == -1 && errno == EINTR);
>     if (result == -1) {
> 	char message[1024];
> 	int e = errno;
> 
> 	snprintf(message, sizeof(message) - 1, "Cannot remove directory
> '%s'", path.c_str());
> 	message[sizeof(message) - 1] = '\0';
> 	throw FileSystemException(message, e, path);
>     }
> }
> 
>>> but I can dontaudit those.  I've also changed the labelling so that
> only
>>> the passenger executable is labelled with the entry type; all other
>>> passenger files are content type.  The policy becomes:
>>>
>>> #### myapp.te ####
>>> policy_module(myapp,1.0)
>>>
>>> apache_content_template(myapp);
>>>
>>> kernel_read_kernel_sysctls(httpd_myapp_script_t);
>>> miscfiles_read_certs(httpd_myapp_script_t);
>>> term_use_all_user_ptys(httpd_myapp_script_t);
>>>
>>> dontaudit httpd_t self:capability { fowner };
>>> allow httpd_t httpd_myapp_script_t:unix_stream_socket
> rw_socket_perms;
>>> allow httpd_t httpd_myapp_script_rw_t:fifo_file manage_file_perms;
>>> allow httpd_t httpd_myapp_script_rw_t:sock_file { setattr unlink };
>>>
>>> allow httpd_myapp_script_t self:capability { chown dac_override
>>> dac_read_search fowner fsetid setgid setuid };
>>> allow httpd_myapp_script_t httpd_t:unix_stream_socket { read write };
>>>
>>> #### myapp.fc ####
>>>
> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15/lib/phusion_passenger/App
>>> licationPoolServerExecutable  --
>>> gen_context(system_u:object_r:httpd_myapp_script_exec_t, s0)
>>> /usr/lib/ruby/gems/1.9.1/gems/passenger-2.2.15(/.*)?
>>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>>> /usr/local/lib/myapp(/.*)?
>>> gen_context(system_u:object_r:httpd_myapp_content_t, s0)
>>> /var/run/passenger(/.*)?
>>> gen_context(system_u:object_r:httpd_myapp_script_rw_t, s0)
>>>
>>>
>>> Thanks for your reply on the documentation, too.  I'll take time to
> work
>>> through it properly.
> 
> 
> Moray.
> "To err is human.  To purr, feline"
> 
> 
> 
> 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux