Re: AVC question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

"Daniel J Walsh wrote:"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/08/2013 11:28 PM, David Highley wrote:
> > I get the following avc from using mythtv's web interface.
> > 
> > ---- time->Tue Jan  8 19:14:57 2013 type=SYSCALL
> > msg=audit(1357701297.336:4077): arch=c000003e syscall=109 success=no
> > exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0 ppid=5777 pid=8018 
> > auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 
> > fsgid=48 tty=(none) ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" 
> > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
> > msg=audit(1357701297.336:4077): avc:  denied  { setpgid } for pid=8018
> > comm="mythweb.pl" scontext=system_u:system_r:httpd_sys_script_t:s0 
> > tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process ---- 
> > time->Tue Jan  8 19:17:56 2013 type=SYSCALL msg=audit(1357701476.763:4085):
> > arch=c000003e syscall=109 success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0
> > items=0 ppid=5774 pid=8113 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> > fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> > comm="mythweb.pl" exe="/usr/bin/perl" 
> > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
> > msg=audit(1357701476.763:4085): avc:  denied  { setpgid } for pid=8113
> > comm="mythweb.pl" scontext=system_u:system_r:httpd_sys_script_t:s0 
> > tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> > 
> > I checked the script, ls -Z /usr/share/mythweb/mythweb.pl -rwxr-xr-x.
> > apache apache system_u:object_r:httpd_sys_script_exec_t:s0 
> > /usr/share/mythweb/mythweb.pl
> > 
> > Should I need to define the following?
> > 
> > require { type httpd_sys_script_t; class process setpgid; }
> > 
> > #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> > self:process setpgid; -- selinux mailing list 
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> Yes, although I guess the question is whether we should allow this by default.
>  What risk do we have from allowing cgi script the ability to call setpgid.

The only information I could find were previous bugzilla.redhat.com reports
which seemed to recommend local policy and a 2003 SANS Institute report
titled, Global Information Assurance Certification Paper which seemed to
indicate allowing it. Oh, and I did ask one of our information assurance
people who did not know if there were any issues.

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
> 
> iEYEARECAAYFAlDtdxYACgkQrlYvE4MpobPgqACeND2Nj5YGrT/dPlxcSAFOznR2
> EToAnRkR310HdPcj26w+7GNNhFUaYZ+n
> =Zeay
> -----END PGP SIGNATURE-----
> 
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux