Re: Right way to do CGI that does complicated things?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The user can't manipulate the public_content_rw_t files from eir
own shell, though, which is not so great.

-Robin

On Fri, Sep 02, 2011 at 10:42:13PM -0700, Robin Lee Powell wrote:
> OK, between that (thanks Jason) and a friend's reminder to read
> "man httpd_selinux", I think I've got a decent solution worked
> out:
> 
> Script is httpd_sys_script_exec_t , which gives it sendmail perms.
> 
> The data files are public_content_rw_t (so the user can set it
> themselves; I could do httpd_sys_rw_content_t, but then I'd have
> to set it).
> 
> setsebool -P allow_httpd_sys_script_anon_write=1 to allow the
> public_content_rw_t to work.
> 
> And it seems to be fine now; no AVCs.
> 
> -Robin
> 
> 
> On Fri, Sep 02, 2011 at 10:17:35PM -0700, Robin Lee Powell wrote:
> > OK, read that (again :), played around a bit.  According to "sudo
> > sesearch -T -t sendmail_exec_t":
> > 
> >   type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t;
> > 
> > but there's no similar one for any of the other httpd script
> > transitions.  I suppose I should try marking it with
> > httpd_sys_script_t and see how it goes.
> > 
> > -Robin
> > 
> > On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote:
> > > Hi Robin,
> > > 
> > > I can't really answer your questions about what you should do, but
> > > I wanted to provide a link that shows why httpd_user_script_t is
> > > not transitioning to sendmail_t.
> > > 
> > > http://danwalsh.livejournal.com/23944.html
> > > 
> > > Jason
> > > 
> > > On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell
> > > <rlpowell@xxxxxxxxxxxxxxxxxx> wrote:
> > > >
> > > > (Background: My SELinux hosts are all F15, fairly base installation,
> > > > with the unconfined module disabled)
> > > >
> > > > I have a host that is for random hackery, and hence is (or at least
> > > > is allowed to be) less secure than the others.
> > > >
> > > > I have a user who made a CGI (running under apache; python, in case
> > > > that matters) that pulls things from elsewhere on the web and then
> > > > sends email with the results.
> > > >
> > > > This generates a pretty large number of AVC denials, which I suppose
> > > > is reasonable since that behaviour looks an awful lot like "I just
> > > > got hijacked and am now being used for spam distribution".
> > > >
> > > > One thing I was genuinely surprised by though is that the
> > > > mail-related denials all came in for httpd_user_script_t , rather
> > > > than sendmail_t or something, and that no attempt to transition to
> > > > sendmail_t seems to have occured or been denied or anything, as I'd
> > > > have expected (it sends mail with /bin/mail ).
> > > >
> > > > FWIW, here's the AVCs:
> > > >
> > > > http://fpaste.org/ZyHg/  (uses date from the input form only)
> > > >
> > > > http://fpaste.org/M9Fq/  (goes out and talks to another website)
> > > >
> > > > I've learned a lot about SELinux recently, but it's all been
> > > > piecemeal, so this is more of a "what's the right thing?" question
> > > > designed to for me to learn from more than "what's the fastest way
> > > > to fix this?".
> > > >
> > > > So, what's the right way to handle this situation?
> > > >
> > > > httpd_user_script_exec_t doesn't do the trick at all (which is
> > > > probably good since it turns out user_u can set that with chcon,
> > > > which I didn't expect).
> > > >
> > > > Is there some way without installing a module (i.e. with semanage or
> > > > similar) to indicate to SELinux "Yeah, this script over here?  It
> > > > can talk to the web" (or "send email")?
> > > >
> > > > Is there a way to indicate that system-wide without installing a
> > > > module?  (not that I would, just curious)
> > > >
> > > > If doing it via module, it's best to create a bobs_script_exec_t and
> > > > bobs_script_t and do everything for those types, rather than
> > > > httpd_user_script_exec_t and friends, right?  This means that a user
> > > > making a non-trivial CGI has to come talk to me, which is a tad
> > > > unfortunate but not horrible.
> > > >
> > > > Thanks for all enlightenment here, and please feel free to go the
> > > > "you're thinking about it wrong" route; I'm really wanting to learn.
> > > >
> > > > -Robin
> > > >
> > > > --
> > > > http://singinst.org/ :  Our last, best hope for a fantastic future.
> > > > Lojban (http://www.lojban.org/): The language in which "this parrot
> > > > is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> > > > is "na nei".   My personal page: http://www.digitalkingdom.org/rlp/
> > > > --
> > > > selinux mailing list
> > > > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > >
> > > --
> > > selinux mailing list
> > > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > -- 
> > http://singinst.org/ :  Our last, best hope for a fantastic future.
> > Lojban (http://www.lojban.org/): The language in which "this parrot
> > is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> > is "na nei".   My personal page: http://www.digitalkingdom.org/rlp/
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> -- 
> http://singinst.org/ :  Our last, best hope for a fantastic future.
> Lojban (http://www.lojban.org/): The language in which "this parrot
> is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
> is "na nei".   My personal page: http://www.digitalkingdom.org/rlp/
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-- 
http://singinst.org/ :  Our last, best hope for a fantastic future.
Lojban (http://www.lojban.org/): The language in which "this parrot
is dead" is "ti poi spitaki cu morsi", but "this sentence is false"
is "na nei".   My personal page: http://www.digitalkingdom.org/rlp/
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux