Re: AVC question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2013-01-09 at 13:35 -0800, David Highley wrote:
> "Daniel J Walsh wrote:"
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 01/08/2013 11:28 PM, David Highley wrote:
> > > I get the following avc from using mythtv's web interface.
> > > 
> > > ---- time->Tue Jan  8 19:14:57 2013 type=SYSCALL
> > > msg=audit(1357701297.336:4077): arch=c000003e syscall=109 success=no
> > > exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0 ppid=5777 pid=8018 
> > > auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 
> > > fsgid=48 tty=(none) ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" 
> > > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
> > > msg=audit(1357701297.336:4077): avc:  denied  { setpgid } for pid=8018
> > > comm="mythweb.pl" scontext=system_u:system_r:httpd_sys_script_t:s0 
> > > tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process ---- 
> > > time->Tue Jan  8 19:17:56 2013 type=SYSCALL msg=audit(1357701476.763:4085):
> > > arch=c000003e syscall=109 success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0
> > > items=0 ppid=5774 pid=8113 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> > > fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> > > comm="mythweb.pl" exe="/usr/bin/perl" 
> > > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
> > > msg=audit(1357701476.763:4085): avc:  denied  { setpgid } for pid=8113
> > > comm="mythweb.pl" scontext=system_u:system_r:httpd_sys_script_t:s0 
> > > tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> > > 
> > > I checked the script, ls -Z /usr/share/mythweb/mythweb.pl -rwxr-xr-x.
> > > apache apache system_u:object_r:httpd_sys_script_exec_t:s0 
> > > /usr/share/mythweb/mythweb.pl
> > > 
> > > Should I need to define the following?
> > > 
> > > require { type httpd_sys_script_t; class process setpgid; }
> > > 
> > > #============= httpd_sys_script_t ============== allow httpd_sys_script_t
> > > self:process setpgid; -- selinux mailing list 
> > > selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > > 
> > Yes, although I guess the question is whether we should allow this by default.
> >  What risk do we have from allowing cgi script the ability to call setpgid.
> 
> The only information I could find were previous bugzilla.redhat.com reports
> which seemed to recommend local policy and a 2003 SANS Institute report
> titled, Global Information Assurance Certification Paper which seemed to
> indicate allowing it. Oh, and I did ask one of our information assurance
> people who did not know if there were any issues.
> 

we do not have to run mythweb.pl in httpd_sys_script_t domain:

echo "policy_module(mymythweb, 1.0.0) apache_content_template(mymythweb)
allow httpd_mymythweb_script_t self:process setpgid;" > mymythweb.te

echo "/usr/share/mythweb/mythweb\.pl --
gen_context(system_u:object_r:httpd_mymythweb_script_exec_t,s0)" >
mymythweb.fc

make -f /usr/share/selinux/devel/Makefile mymythweb.pp
sudo semodule mymythweb.pp
sudo restorecon -v /usr/share/mythweb/mythweb.pl


> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.13 (GNU/Linux)
> > Comment: Using GnuPG with undefined - http://www.enigmail.net/
> > 
> > iEYEARECAAYFAlDtdxYACgkQrlYvE4MpobPgqACeND2Nj5YGrT/dPlxcSAFOznR2
> > EToAnRkR310HdPcj26w+7GNNhFUaYZ+n
> > =Zeay
> > -----END PGP SIGNATURE-----
> > 
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux