On 01/17/2011 12:05 PM, Dominick Grift wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/17/2011 11:47 AM, Erinn Looney-Triggs wrote: >> This is a lot of groping about in the dark for me with SELinux so please >> excuse any completely absurd choices I made :). >> >> I posted before about getting a setup working with mod_passenger, I was >> able to work things around such that mod_passenger worked fine with >> selinux enabled. I came up with this small policy: > The policy for passenger needs to be revisited. mgrepl mentioned that he > is going to cooperate with some ruby related people to fix it. I havent > noticed any progress on that front though. The passenger v3 is supported by the current SELinux policy (Fedora13+ releases). The following blog http://mifo.sk/posts/passenger-selinux-for-fedora/ will be updated to provide correct instructions. Erinn, try to follow these instructions except the fifth point which will be replaced by the following: --- 5. Execute # restorecon -R -v /var/lib/passenger* /var/run/passenger* /usr/lib/ruby/gems/1.8/gems/passenger* --- Dominick, I am working on fixes for passenger policy based on your policy. > What you have below, can hardly be called policy ;) Its just avc denials > ran through audit2allow -M. Basically it compromises the httpd_t domain. > > But atleast you got it to work for now. Keep an eye open on the > selinux-policy changelog with regard to passenger. When policy is redone > you should be able to remove your myruby module and update to latest > available selinux-policy instead to get passenger to work with selinux. > >> module myruby 1.0; >> >> require { >> type httpd_tmp_t; >> type lib_t; >> type httpd_t; >> type tmp_t; >> class sock_file { write create unlink getattr setattr }; >> class capability { fowner fsetid }; >> class file { read getattr execute_no_trans }; >> class fifo_file { create unlink getattr setattr }; >> } >> >> #============= httpd_t ============== >> allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr }; >> allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr }; >> allow httpd_t lib_t:file execute_no_trans; >> allow httpd_t self:capability { fowner fsetid }; >> allow httpd_t tmp_t:file { read getattr }; >> >> It worked just fine though I had a bit of a gripe with the execute on >> lib_t, this was due to the mod_passenger module being automatically >> labelled as lib_t (it was located in /usr/local/ruby/lib, hence the >> labelling), but I couldn't really change things as they were in >> production. Well now we are going through an upgrade to Rails 3 and it >> is not playing nicely with SELinux again, so around we go with >> audit2allow, this time I changed the passenger module to be labelled >> like all the other apache modules (httpd_modules_t), and there are a few >> other executables that Passenger requires, I labelled them as apache >> modules as well (for better or worse, I tried httpd_script_t as well >> thinking that it would fit better, but I don't know if it makes much >> difference). However, after many runs through adit2allow the outcome is >> pretty vulgar: >> module myruby 1.0; >> >> require { >> type unconfined_t; >> type semanage_t; >> type hplip_t; >> type setrans_t; >> type mysqld_t; >> type syslogd_t; >> type getty_t; >> type xfs_t; >> type initrc_t; >> type irqbalance_t; >> type httpd_modules_t; >> type snmpd_t; >> type tmp_t; >> type avahi_t; >> type rpm_t; >> type gpm_t; >> type unconfined_execmem_t; >> type restorecond_t; >> type init_t; >> type httpd_tmp_t; >> type ntpd_t; >> type fsdaemon_t; >> type postfix_master_t; >> type auditd_t; >> type udev_t; >> type postfix_qmgr_t; >> type audisp_t; >> type system_dbusd_t; >> type cupsd_t; >> type inetd_t; >> type portmap_t; >> type postfix_pickup_t; >> type kernel_t; >> type setfiles_t; >> type hald_t; >> type apmd_t; >> type crond_t; >> type rpcd_t; >> type httpd_t; >> class capability { fowner sys_resource fsetid }; >> class process ptrace; >> class dir { getattr search }; >> class file { read getattr execute_no_trans }; >> class sock_file { write create unlink getattr setattr }; >> } >> >> #============= httpd_t ============== >> allow httpd_t apmd_t:dir { getattr search }; >> allow httpd_t apmd_t:file read; >> allow httpd_t audisp_t:dir { getattr search }; >> allow httpd_t audisp_t:file read; >> allow httpd_t auditd_t:dir { getattr search }; >> allow httpd_t auditd_t:file read; >> allow httpd_t avahi_t:dir { getattr search }; >> allow httpd_t avahi_t:file read; >> allow httpd_t crond_t:dir { getattr search }; >> allow httpd_t crond_t:file read; >> allow httpd_t cupsd_t:dir { getattr search }; >> allow httpd_t cupsd_t:file read; >> allow httpd_t fsdaemon_t:dir { getattr search }; >> allow httpd_t fsdaemon_t:file read; >> allow httpd_t getty_t:dir { getattr search }; >> allow httpd_t getty_t:file read; >> allow httpd_t gpm_t:dir { getattr search }; >> allow httpd_t gpm_t:file read; >> allow httpd_t hald_t:dir { getattr search }; >> allow httpd_t hald_t:file read; >> allow httpd_t hplip_t:dir { getattr search }; >> allow httpd_t hplip_t:file read; >> allow httpd_t httpd_modules_t:file execute_no_trans; >> allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr }; >> allow httpd_t inetd_t:dir { getattr search }; >> allow httpd_t inetd_t:file read; >> allow httpd_t init_t:dir { getattr search }; >> allow httpd_t init_t:file read; >> allow httpd_t initrc_t:dir { getattr search }; >> allow httpd_t initrc_t:file read; >> allow httpd_t irqbalance_t:dir { getattr search }; >> allow httpd_t irqbalance_t:file read; >> allow httpd_t kernel_t:dir { getattr search }; >> allow httpd_t kernel_t:file read; >> allow httpd_t mysqld_t:dir { getattr search }; >> allow httpd_t mysqld_t:file read; >> allow httpd_t ntpd_t:dir { getattr search }; >> allow httpd_t ntpd_t:file read; >> allow httpd_t portmap_t:dir { getattr search }; >> allow httpd_t portmap_t:file read; >> allow httpd_t postfix_master_t:dir { getattr search }; >> allow httpd_t postfix_master_t:file read; >> allow httpd_t postfix_pickup_t:dir { getattr search }; >> allow httpd_t postfix_pickup_t:file read; >> allow httpd_t postfix_qmgr_t:dir { getattr search }; >> allow httpd_t postfix_qmgr_t:file read; >> allow httpd_t restorecond_t:dir { getattr search }; >> allow httpd_t restorecond_t:file read; >> allow httpd_t rpcd_t:dir { getattr search }; >> allow httpd_t rpcd_t:file read; >> allow httpd_t rpm_t:dir { getattr search }; >> allow httpd_t rpm_t:file read; >> allow httpd_t self:capability { fowner sys_resource fsetid }; >> allow httpd_t self:process ptrace; >> allow httpd_t semanage_t:dir getattr; >> allow httpd_t setfiles_t:dir getattr; >> allow httpd_t setrans_t:dir { getattr search }; >> allow httpd_t setrans_t:file read; >> allow httpd_t snmpd_t:dir { getattr search }; >> allow httpd_t snmpd_t:file read; >> allow httpd_t syslogd_t:dir { getattr search }; >> allow httpd_t syslogd_t:file read; >> allow httpd_t system_dbusd_t:dir { getattr search }; >> allow httpd_t system_dbusd_t:file read; >> allow httpd_t tmp_t:file { read getattr }; >> allow httpd_t udev_t:dir { getattr search }; >> allow httpd_t udev_t:file read; >> allow httpd_t unconfined_execmem_t:dir { getattr search }; >> allow httpd_t unconfined_execmem_t:file read; >> allow httpd_t unconfined_t:dir { getattr search }; >> allow httpd_t unconfined_t:file read; >> allow httpd_t xfs_t:dir { getattr search }; >> allow httpd_t xfs_t:file read; >> >> This seems like an absurd amount of access to me, it gets things going >> but really? Anyone have a bit of experience with mod_passenger and Rails >> 3, any insight? Now I did go through and manually prune out what I >> though was wrong and came up with this (this was when I was testing the >> httpd_sys_script type, just mentally change it to httpd_t): >> module myruby 1.0; >> require { >> type httpd_tmp_t; >> type httpd_sys_script_t; >> type devpts_t; >> type httpd_t; >> type tmp_t; >> type udev_tbl_t; >> class process { ptrace setpgid getsched }; >> class sock_file { write create unlink getattr setattr }; >> class capability { kill sys_resource dac_override >> dac_read_search chown fsetid setgid setuid fowner }; >> class chr_file { read write ioctl }; >> class file { read getattr execute_no_trans }; >> class fifo_file { create unlink getattr setattr }; >> class lnk_file read; >> class dir search; >> class unix_stream_socket connectto; >> } >> >> #============= httpd_t ============== >> allow httpd_t httpd_tmp_t:fifo_file { create unlink getattr setattr }; >> allow httpd_t httpd_tmp_t:sock_file { write create unlink getattr setattr }; >> allow httpd_t self:capability { fowner fsetid }; >> allow httpd_t tmp_t:file { read getattr }; >> allow httpd_t httpd_sys_script_t:unix_stream_socket connectto; >> >> >> #============= httpd_sys_script_t ============== >> allow httpd_sys_script_t devpts_t:chr_file { read write ioctl }; >> allow httpd_sys_script_t self:capability { kill dac_read_search fsetid >> sys_resource setuid setgid fowner chown dac_override }; >> allow httpd_sys_script_t self:process { getsched setpgid }; >> allow httpd_sys_script_t udev_tbl_t:lnk_file read; >> allow httpd_sys_script_t devpts_t:dir search; >> >> System works, passenger runs etc. but an obscene amount of logs are >> being pumped into the audit logs for each of those directory reads etc. >> I suppose I could add dontaudit rules (not that I know how). But again >> seeking any other insights into this. >> >> Thanks, >> -Erinn >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk00MJQACgkQMlxVo39jgT8uHQCeIeMSzdK77vSGPHfWJnsqA8I1 > QgIAn2Yd8cYnpHLUV/pEQdMySR1RIzj/ > =j5xq > -----END PGP SIGNATURE----- > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
