On 09/03/2011 06:03 AM, Robin Lee Powell wrote: > The user can't manipulate the public_content_rw_t files from eir > own shell, though, which is not so great. Do you confine also users by SELinux? > -Robin > > On Fri, Sep 02, 2011 at 10:42:13PM -0700, Robin Lee Powell wrote: >> OK, between that (thanks Jason) and a friend's reminder to read >> "man httpd_selinux", I think I've got a decent solution worked >> out: >> >> Script is httpd_sys_script_exec_t , which gives it sendmail perms. >> >> The data files are public_content_rw_t (so the user can set it >> themselves; I could do httpd_sys_rw_content_t, but then I'd have >> to set it). >> >> setsebool -P allow_httpd_sys_script_anon_write=1 to allow the >> public_content_rw_t to work. >> >> And it seems to be fine now; no AVCs. >> >> -Robin >> >> >> On Fri, Sep 02, 2011 at 10:17:35PM -0700, Robin Lee Powell wrote: >>> OK, read that (again :), played around a bit. According to "sudo >>> sesearch -T -t sendmail_exec_t": >>> >>> type_transition httpd_sys_script_t sendmail_exec_t : process system_mail_t; >>> >>> but there's no similar one for any of the other httpd script >>> transitions. I suppose I should try marking it with >>> httpd_sys_script_t and see how it goes. >>> >>> -Robin >>> >>> On Fri, Sep 02, 2011 at 01:50:13PM -1000, Jason Axelson wrote: >>>> Hi Robin, >>>> >>>> I can't really answer your questions about what you should do, but >>>> I wanted to provide a link that shows why httpd_user_script_t is >>>> not transitioning to sendmail_t. >>>> >>>> http://danwalsh.livejournal.com/23944.html >>>> >>>> Jason >>>> >>>> On Fri, Sep 2, 2011 at 1:33 PM, Robin Lee Powell >>>> <rlpowell@xxxxxxxxxxxxxxxxxx> wrote: >>>>> (Background: My SELinux hosts are all F15, fairly base installation, >>>>> with the unconfined module disabled) >>>>> >>>>> I have a host that is for random hackery, and hence is (or at least >>>>> is allowed to be) less secure than the others. >>>>> >>>>> I have a user who made a CGI (running under apache; python, in case >>>>> that matters) that pulls things from elsewhere on the web and then >>>>> sends email with the results. >>>>> >>>>> This generates a pretty large number of AVC denials, which I suppose >>>>> is reasonable since that behaviour looks an awful lot like "I just >>>>> got hijacked and am now being used for spam distribution". >>>>> >>>>> One thing I was genuinely surprised by though is that the >>>>> mail-related denials all came in for httpd_user_script_t , rather >>>>> than sendmail_t or something, and that no attempt to transition to >>>>> sendmail_t seems to have occured or been denied or anything, as I'd >>>>> have expected (it sends mail with /bin/mail ). >>>>> >>>>> FWIW, here's the AVCs: >>>>> >>>>> http://fpaste.org/ZyHg/ (uses date from the input form only) >>>>> >>>>> http://fpaste.org/M9Fq/ (goes out and talks to another website) >>>>> >>>>> I've learned a lot about SELinux recently, but it's all been >>>>> piecemeal, so this is more of a "what's the right thing?" question >>>>> designed to for me to learn from more than "what's the fastest way >>>>> to fix this?". >>>>> >>>>> So, what's the right way to handle this situation? >>>>> >>>>> httpd_user_script_exec_t doesn't do the trick at all (which is >>>>> probably good since it turns out user_u can set that with chcon, >>>>> which I didn't expect). >>>>> >>>>> Is there some way without installing a module (i.e. with semanage or >>>>> similar) to indicate to SELinux "Yeah, this script over here? It >>>>> can talk to the web" (or "send email")? >>>>> >>>>> Is there a way to indicate that system-wide without installing a >>>>> module? (not that I would, just curious) >>>>> >>>>> If doing it via module, it's best to create a bobs_script_exec_t and >>>>> bobs_script_t and do everything for those types, rather than >>>>> httpd_user_script_exec_t and friends, right? This means that a user >>>>> making a non-trivial CGI has to come talk to me, which is a tad >>>>> unfortunate but not horrible. >>>>> >>>>> Thanks for all enlightenment here, and please feel free to go the >>>>> "you're thinking about it wrong" route; I'm really wanting to learn. >>>>> >>>>> -Robin >>>>> >>>>> -- >>>>> http://singinst.org/ : Our last, best hope for a fantastic future. >>>>> Lojban (http://www.lojban.org/): The language in which "this parrot >>>>> is dead" is "ti poi spitaki cu morsi", but "this sentence is false" >>>>> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ >>>>> -- >>>>> selinux mailing list >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>>>> >>>> -- >>>> selinux mailing list >>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>>> https://admin.fedoraproject.org/mailman/listinfo/selinux >>> -- >>> http://singinst.org/ : Our last, best hope for a fantastic future. >>> Lojban (http://www.lojban.org/): The language in which "this parrot >>> is dead" is "ti poi spitaki cu morsi", but "this sentence is false" >>> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ >>> -- >>> selinux mailing list >>> selinux@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/selinux >> -- >> http://singinst.org/ : Our last, best hope for a fantastic future. >> Lojban (http://www.lojban.org/): The language in which "this parrot >> is dead" is "ti poi spitaki cu morsi", but "this sentence is false" >> is "na nei". My personal page: http://www.digitalkingdom.org/rlp/ >> -- >> selinux mailing list >> selinux@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/selinux -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
