-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/02/2011 07:33 PM, Robin Lee Powell wrote: > > (Background: My SELinux hosts are all F15, fairly base > installation, with the unconfined module disabled) > > I have a host that is for random hackery, and hence is (or at > least is allowed to be) less secure than the others. > > I have a user who made a CGI (running under apache; python, in > case that matters) that pulls things from elsewhere on the web and > then sends email with the results. > > This generates a pretty large number of AVC denials, which I > suppose is reasonable since that behaviour looks an awful lot like > "I just got hijacked and am now being used for spam distribution". > > One thing I was genuinely surprised by though is that the > mail-related denials all came in for httpd_user_script_t , rather > than sendmail_t or something, and that no attempt to transition to > sendmail_t seems to have occured or been denied or anything, as > I'd have expected (it sends mail with /bin/mail ). > > FWIW, here's the AVCs: > > http://fpaste.org/ZyHg/ (uses date from the input form only) > > http://fpaste.org/M9Fq/ (goes out and talks to another website) > > I've learned a lot about SELinux recently, but it's all been > piecemeal, so this is more of a "what's the right thing?" question > designed to for me to learn from more than "what's the fastest way > to fix this?". > > So, what's the right way to handle this situation? > > httpd_user_script_exec_t doesn't do the trick at all (which is > probably good since it turns out user_u can set that with chcon, > which I didn't expect). > > Is there some way without installing a module (i.e. with semanage > or similar) to indicate to SELinux "Yeah, this script over here? > It can talk to the web" (or "send email")? > > Is there a way to indicate that system-wide without installing a > module? (not that I would, just curious) > > If doing it via module, it's best to create a bobs_script_exec_t > and bobs_script_t and do everything for those types, rather than > httpd_user_script_exec_t and friends, right? This means that a > user making a non-trivial CGI has to come talk to me, which is a > tad unfortunate but not horrible. > > Thanks for all enlightenment here, and please feel free to go the > "you're thinking about it wrong" route; I'm really wanting to > learn. > > -Robin > If you are going to want users to be able to send mail via cgi scripts, you will need to add policy for this. Something like mta_send_mail(httpd_user_script_t) Should solve that problem. Changing the label of the users directories to httpd_sys_script_exec_t would change the cgi to run as httpd_sys_script_t which gives them more privs. Another boolean you might want to turn on would be httpd_unified. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk5mLCoACgkQrlYvE4MpobMn7gCdG4lV284tv4/gznR7ylN2Nevc 3cYAn11VASyKdgt2UKAJNjy7Vk6u1S/b =fYmY -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
