Re: AVC question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"Daniel J Walsh wrote:"
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/09/2013 05:22 PM, Dominick Grift wrote:
> > On Wed, 2013-01-09 at 13:35 -0800, David Highley wrote:
> >> "Daniel J Walsh wrote:"
> >>> 
> > On 01/08/2013 11:28 PM, David Highley wrote:
> >>>>> I get the following avc from using mythtv's web interface.
> >>>>> 
> >>>>> ---- time->Tue Jan  8 19:14:57 2013 type=SYSCALL 
> >>>>> msg=audit(1357701297.336:4077): arch=c000003e syscall=109
> >>>>> success=no exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0 ppid=5777
> >>>>> pid=8018 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> >>>>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> >>>>> comm="mythweb.pl" exe="/usr/bin/perl" 
> >>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC 
> >>>>> msg=audit(1357701297.336:4077): avc:  denied  { setpgid } for
> >>>>> pid=8018 comm="mythweb.pl"
> >>>>> scontext=system_u:system_r:httpd_sys_script_t:s0 
> >>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> >>>>> ---- time->Tue Jan  8 19:17:56 2013 type=SYSCALL
> >>>>> msg=audit(1357701476.763:4085): arch=c000003e syscall=109
> >>>>> success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0 items=0 ppid=5774
> >>>>> pid=8113 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> >>>>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 
> >>>>> comm="mythweb.pl" exe="/usr/bin/perl" 
> >>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC 
> >>>>> msg=audit(1357701476.763:4085): avc:  denied  { setpgid } for
> >>>>> pid=8113 comm="mythweb.pl"
> >>>>> scontext=system_u:system_r:httpd_sys_script_t:s0 
> >>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> >>>>> 
> >>>>> I checked the script, ls -Z /usr/share/mythweb/mythweb.pl
> >>>>> -rwxr-xr-x. apache apache
> >>>>> system_u:object_r:httpd_sys_script_exec_t:s0 
> >>>>> /usr/share/mythweb/mythweb.pl
> >>>>> 
> >>>>> Should I need to define the following?
> >>>>> 
> >>>>> require { type httpd_sys_script_t; class process setpgid; }
> >>>>> 
> >>>>> #============= httpd_sys_script_t ============== allow
> >>>>> httpd_sys_script_t self:process setpgid; -- selinux mailing list 
> >>>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>> 
> > Yes, although I guess the question is whether we should allow this by
> > default. What risk do we have from allowing cgi script the ability to call
> > setpgid.
> >>> 
> >>> The only information I could find were previous bugzilla.redhat.com
> >>> reports which seemed to recommend local policy and a 2003 SANS
> >>> Institute report titled, Global Information Assurance Certification
> >>> Paper which seemed to indicate allowing it. Oh, and I did ask one of
> >>> our information assurance people who did not know if there were any
> >>> issues.
> >>> 
> > 
> >> we do not have to run mythweb.pl in httpd_sys_script_t domain:
> > 
> >> echo "policy_module(mymythweb, 1.0.0) apache_content_template(mymythweb) 
> >> allow httpd_mymythweb_script_t self:process setpgid;" > mymythweb.te
> > 
> >> echo "/usr/share/mythweb/mythweb\.pl -- 
> >> gen_context(system_u:object_r:httpd_mymythweb_script_exec_t,s0)" > 
> >> mymythweb.fc
> > 
> >> make -f /usr/share/selinux/devel/Makefile mymythweb.pp sudo semodule
> >> mymythweb.pp sudo restorecon -v /usr/share/mythweb/mythweb.pl
> > 
> > 
> >>> 
> >> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> > 
> > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > 
> 
> Seems like an idea, not sure what mythweb does?  Where is its content stored?

It is the web interface to mythtv which I believe there is all ready
previous selinux policy for. The scripts are located in
/usr/share/mythweb. Should I open a bug report? Which approach should I
recommend in the report?

> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
> 
> iEYEARECAAYFAlDt7w8ACgkQrlYvE4MpobNdqACfQKl/27qNZOoA9itwKYRLg+iK
> /tcAoJgYUVwfriAsFtEAJyxXSKcmZquc
> =wB/4
> -----END PGP SIGNATURE-----
> 
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux



[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux