The user can't manipulate the public_content_rw_t files from eir own shell, though, which is not so great. -Robin On Fri, Sep 02, 2011 at 10:42:13PM -0700, Robin Lee Powell wrote: > OK, between that (thanks Jason) and a friend's reminder to read > "man httpd_selinux", I think I've got a decent solution worked > out: > > Script is httpd_sys_script_exec_t , which gives it sendmail perms. > > The data files are public_content_rw_t (so the user can set it > themselves; I could do httpd_sys_rw_content_t, but then I'd have > to set it). > > setsebool -P allow_httpd_sys_script_anon_write=1 to allow the > public_content_rw_t to work. > > And it seems to be fine now; no AVCs. > > -Robin > > > On Fri, Sep 02, 2011 at 10:17:35PM -0700, Robin Lee Powell wrote: > > OK, read that (again :), played around a bit. According to "sudo > > sesearch -T -t sendmail_exec_t": > > > > type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t; > > > > but there's no similar one for any of the other httpd script > > transitions. I suppose I should try marking it with > > httpd_sys_script_t and see how it goes. > > > > -Robin > > > > On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote: > > > Hi Robin, > > > > > > I can't really answer your questions about what you should do, but > > > I wanted to provide a link that shows why httpd_user_script_t is > > > not transitioning to sendmail_t. > > > > > > http://danwalsh.livejournal.com/23944.html > > > > > > Jason > > > > > > On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell > > > <rlpowell@xxxxxxxxxxxxxxxxxx> wrote: > > > > > > > > (Background: My SELinux hosts are all F15, fairly base installation, > > > > with the unconfined module disabled) > > > > > > > > I have a host that is for random hackery, and hence is (or at least > > > > is allowed to be) less secure than the others. > > > > > > > > I have a user who made a CGI (running under apache; python, in case > > > > that matters) that pulls things from elsewhere on the web and then > > > > sends email with the results. > > > > > > > > This generates a pretty large number of AVC denials, which I suppose > > > > is reasonable since that behaviour looks an awful lot like "I just > > > > got hijacked and am now being used for spam distribution". > > > > > > > > One thing I was genuinely surprised by though is that the > > > > mail-related denials all came in for httpd_user_script_t , rather > > > > than sendmail_t or something, and that no attempt to transition to > > > > sendmail_t seems to have occured or been denied or anything, as I'd > > > > have expected (it sends mail with /bin/mail ). > > > > > > > > FWIW, here's the AVCs: > > > > > > > > http://fpaste.org/ZyHg/ (uses date from the input form only) > > > > > > > > http://fpaste.org/M9Fq/ (goes out and talks to another website) > > > > > > > > I've learned a lot about SELinux recently, but it's all been > > > > piecemeal, so this is more of a "what's the right thing?" question > > > > designed to for me to learn from more than "what's the fastest way > > > > to fix this?". > > > > > > > > So, what's the right way to handle this situation? > > > > > > > > httpd_user_script_exec_t doesn't do the trick at all (which is > > > > probably good since it turns out user_u can set that with chcon, > > > > which I didn't expect). > > > > > > > > Is there some way without installing a module (i.e. with semanage or > > > > similar) to indicate to SELinux "Yeah, this script over here? It > > > > can talk to the web" (or "send email")? > > > > > > > > Is there a way to indicate that system-wide without installing a > > > > module? (not that I would, just curious) > > > > > > > > If doing it via module, it's best to create a bobs_script_exec_t and > > > > bobs_script_t and do everything for those types, rather than > > > > httpd_user_script_exec_t and friends, right? This means that a user > > > > making a non-trivial CGI has to come talk to me, which is a tad > > > > unfortunate but not horrible. > > > > > > > > Thanks for all enlightenment here, and please feel free to go the > > > > "you're thinking about it wrong" route; I'm really wanting to learn. > > > > > > > > -Robin > > > > > > > > -- > > > > http://singinst.org/ : Our last, best hope for a fantastic future. > > > > Lojban (http://www.lojban.org/): The language in which "this parrot > > > > is dead" is "ti poi spitaki cu morsi", but "this sentence is false" > > > > is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ > > > > -- > > > > selinux mailing list > > > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > > > > -- > > > selinux mailing list > > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > > -- > > http://singinst.org/ : Our last, best hope for a fantastic future. > > Lojban (http://www.lojban.org/): The language in which "this parrot > > is dead" is "ti poi spitaki cu morsi", but "this sentence is false" > > is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ > > -- > > selinux mailing list > > selinux@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > -- > http://singinst.org/ : Our last, best hope for a fantastic future. > Lojban (http://www.lojban.org/): The language in which "this parrot > is dead" is "ti poi spitaki cu morsi", but "this sentence is false" > is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux -- http://singinst.org/ : Our last, best hope for a fantastic future. Lojban (http://www.lojban.org/): The language in which "this parrot is dead" is "ti poi spitaki cu morsi", but "this sentence is false" is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
