On Tue, Sep 06, 2011 at 10:20:26AM -0400, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/02/2011 07:33 PM, Robin Lee Powell wrote: > > > > (Background: My SELinux hosts are all F15, fairly base > > installation, with the unconfined module disabled) > > > > I have a host that is for random hackery, and hence is (or at > > least is allowed to be) less secure than the others. > > > > I have a user who made a CGI (running under apache; python, in > > case that matters) that pulls things from elsewhere on the web and > > then sends email with the results. > > > > This generates a pretty large number of AVC denials, which I > > suppose is reasonable since that behaviour looks an awful lot like > > "I just got hijacked and am now being used for spam distribution". > > > > One thing I was genuinely surprised by though is that the > > mail-related denials all came in for httpd_user_script_t , rather > > than sendmail_t or something, and that no attempt to transition to > > sendmail_t seems to have occured or been denied or anything, as > > I'd have expected (it sends mail with /bin/mail ). > > > > FWIW, here's the AVCs: > > > > http://fpaste.org/ZyHg/ (uses date from the input form only) > > > > http://fpaste.org/M9Fq/ (goes out and talks to another website) > > > > I've learned a lot about SELinux recently, but it's all been > > piecemeal, so this is more of a "what's the right thing?" question > > designed to for me to learn from more than "what's the fastest way > > to fix this?". > > > > So, what's the right way to handle this situation? > > > > httpd_user_script_exec_t doesn't do the trick at all (which is > > probably good since it turns out user_u can set that with chcon, > > which I didn't expect). > > > > Is there some way without installing a module (i.e. with semanage > > or similar) to indicate to SELinux "Yeah, this script over here? > > It can talk to the web" (or "send email")? > > > > Is there a way to indicate that system-wide without installing a > > module? (not that I would, just curious) > > > > If doing it via module, it's best to create a bobs_script_exec_t > > and bobs_script_t and do everything for those types, rather than > > httpd_user_script_exec_t and friends, right? This means that a > > user making a non-trivial CGI has to come talk to me, which is a > > tad unfortunate but not horrible. > > > > Thanks for all enlightenment here, and please feel free to go the > > "you're thinking about it wrong" route; I'm really wanting to > > learn. > > > > -Robin > > > > > If you are going to want users to be able to send mail via cgi > scripts, you will need to add policy for this. > > Something like > > mta_send_mail(httpd_user_script_t) > > Should solve that problem. > > Changing the label of the users directories to > httpd_sys_script_exec_t would change the cgi to run as > httpd_sys_script_t which gives them more privs. > > Another boolean you might want to turn on would be httpd_unified. Thanks. dgrift suggested that httpd_unified would be bad, so I ended up making a policy module for this script, which should be pretty easy to repurpose for other semi-priviledged CGIs, so I'm pasting here in case other people in the future end up finding this thread. It looks long-ish, but the vast majority is allowing the user to manage the files. -Robin - ---------------------- policy_module(myrealcorpus, 1.0.0) ######################################## # # Declarations # require { type httpd_user_content_t; type user_home_t; type user_home_dir_t; type tmp_t; type user_t; type user_tmp_t; } #============= lojban_corpus_t ============== # Behave much like a CGI; creates the usual such types, httpd_corpus_script_t and friends apache_content_template(corpus) # Be able to send email mta_send_mail( httpd_corpus_script_t ) # Interact with /tmp files_manage_generic_tmp_files( httpd_corpus_script_t ) allow httpd_corpus_script_t tmp_t:dir manage_dir_perms; # Talk to the internet userdom_basic_networking( httpd_corpus_script_t ) # DNS lookup sysnet_dns_name_resolve( httpd_corpus_script_t ) # File and directory access list_dirs_pattern( httpd_corpus_script_t, httpd_user_content_t, httpd_user_content_t) list_dirs_pattern( httpd_corpus_script_t, user_home_dir_t, user_home_dir_t) read_files_pattern( httpd_corpus_script_t, user_home_t, user_home_t) manage_dirs_pattern( httpd_corpus_script_t, user_tmp_t, user_tmp_t) manage_files_pattern( httpd_corpus_script_t, user_tmp_t, user_tmp_t) # Allowing normal users (i.e. user_t) to access the files in question, and to # relabel things to these labels. manage_dirs_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t) manage_files_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t) exec_files_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t) relabel_dirs_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t) relabel_files_pattern( user_t, httpd_corpus_rw_content_t, httpd_corpus_rw_content_t) manage_dirs_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t) manage_files_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t) exec_files_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t) relabel_dirs_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t) relabel_files_pattern( user_t, httpd_corpus_script_exec_t, httpd_corpus_script_exec_t) - ---------------------- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
