-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/09/2013 05:22 PM, Dominick Grift wrote:
> On Wed, 2013-01-09 at 13:35 -0800, David Highley wrote:
>> "Daniel J Walsh wrote:"
>>>
> On 01/08/2013 11:28 PM, David Highley wrote:
>>>>> I get the following avc from using mythtv's web interface.
>>>>>
>>>>> ---- time->Tue Jan 8 19:14:57 2013 type=SYSCALL
>>>>> msg=audit(1357701297.336:4077): arch=c000003e syscall=109
>>>>> success=no exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0 ppid=5777
>>>>> pid=8018 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>>>>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>>> comm="mythweb.pl" exe="/usr/bin/perl"
>>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
>>>>> msg=audit(1357701297.336:4077): avc: denied { setpgid } for
>>>>> pid=8018 comm="mythweb.pl"
>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0
>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
>>>>> ---- time->Tue Jan 8 19:17:56 2013 type=SYSCALL
>>>>> msg=audit(1357701476.763:4085): arch=c000003e syscall=109
>>>>> success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0 items=0 ppid=5774
>>>>> pid=8113 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>>>>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>>> comm="mythweb.pl" exe="/usr/bin/perl"
>>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
>>>>> msg=audit(1357701476.763:4085): avc: denied { setpgid } for
>>>>> pid=8113 comm="mythweb.pl"
>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0
>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
>>>>>
>>>>> I checked the script, ls -Z /usr/share/mythweb/mythweb.pl
>>>>> -rwxr-xr-x. apache apache
>>>>> system_u:object_r:httpd_sys_script_exec_t:s0
>>>>> /usr/share/mythweb/mythweb.pl
>>>>>
>>>>> Should I need to define the following?
>>>>>
>>>>> require { type httpd_sys_script_t; class process setpgid; }
>>>>>
>>>>> #============= httpd_sys_script_t ============== allow
>>>>> httpd_sys_script_t self:process setpgid; -- selinux mailing list
>>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>
> Yes, although I guess the question is whether we should allow this by
> default. What risk do we have from allowing cgi script the ability to call
> setpgid.
>>>
>>> The only information I could find were previous bugzilla.redhat.com
>>> reports which seemed to recommend local policy and a 2003 SANS
>>> Institute report titled, Global Information Assurance Certification
>>> Paper which seemed to indicate allowing it. Oh, and I did ask one of
>>> our information assurance people who did not know if there were any
>>> issues.
>>>
>
>> we do not have to run mythweb.pl in httpd_sys_script_t domain:
>
>> echo "policy_module(mymythweb, 1.0.0) apache_content_template(mymythweb)
>> allow httpd_mymythweb_script_t self:process setpgid;" > mymythweb.te
>
>> echo "/usr/share/mythweb/mythweb\.pl --
>> gen_context(system_u:object_r:httpd_mymythweb_script_exec_t,s0)" >
>> mymythweb.fc
>
>> make -f /usr/share/selinux/devel/Makefile mymythweb.pp sudo semodule
>> mymythweb.pp sudo restorecon -v /usr/share/mythweb/mythweb.pl
>
>
>>>
>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Seems like an idea, not sure what mythweb does? Where is its content stored?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iEYEARECAAYFAlDt7w8ACgkQrlYvE4MpobNdqACfQKl/27qNZOoA9itwKYRLg+iK
/tcAoJgYUVwfriAsFtEAJyxXSKcmZquc
=wB/4
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
