-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/14/2013 11:22 PM, David Highley wrote:
> "Daniel J Walsh wrote:"
>>
> On 01/11/2013 11:34 AM, David Highley wrote:
>>>> "Daniel J Walsh wrote:"
>>>>>
>>>> On 01/09/2013 05:22 PM, Dominick Grift wrote:
>>>>>>> On Wed, 2013-01-09 at 13:35 -0800, David Highley wrote:
>>>>>>>> "Daniel J Walsh wrote:"
>>>>>>>>>
>>>>>>> On 01/08/2013 11:28 PM, David Highley wrote:
>>>>>>>>>>> I get the following avc from using mythtv's web
>>>>>>>>>>> interface.
>>>>>>>>>>>
>>>>>>>>>>> ---- time->Tue Jan 8 19:14:57 2013 type=SYSCALL
>>>>>>>>>>> msg=audit(1357701297.336:4077): arch=c000003e
>>>>>>>>>>> syscall=109 success=no exit=-13 a0=0 a1=0 a2=1340cb0
>>>>>>>>>>> a3=0 items=0 ppid=5777 pid=8018 auid=4294967295 uid=48
>>>>>>>>>>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
>>>>>>>>>>> fsgid=48 tty=(none) ses=4294967295 comm="mythweb.pl"
>>>>>>>>>>> exe="/usr/bin/perl"
>>>>>>>>>>> subj=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>>>>> key=(null) type=AVC msg=audit(1357701297.336:4077):
>>>>>>>>>>> avc: denied { setpgid } for pid=8018
>>>>>>>>>>> comm="mythweb.pl"
>>>>>>>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>>>>> tclass=process ---- time->Tue Jan 8 19:17:56 2013
>>>>>>>>>>> type=SYSCALL msg=audit(1357701476.763:4085):
>>>>>>>>>>> arch=c000003e syscall=109 success=no exit=-13 a0=0 a1=0
>>>>>>>>>>> a2=22c5b10 a3=0 items=0 ppid=5774 pid=8113
>>>>>>>>>>> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>>>>>>>>>>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>>>>>>>>> comm="mythweb.pl" exe="/usr/bin/perl"
>>>>>>>>>>> subj=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>>>>> key=(null) type=AVC msg=audit(1357701476.763:4085):
>>>>>>>>>>> avc: denied { setpgid } for pid=8113
>>>>>>>>>>> comm="mythweb.pl"
>>>>>>>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>>>>> tclass=process
>>>>>>>>>>>
>>>>>>>>>>> I checked the script, ls -Z
>>>>>>>>>>> /usr/share/mythweb/mythweb.pl -rwxr-xr-x. apache apache
>>>>>>>>>>> system_u:object_r:httpd_sys_script_exec_t:s0
>>>>>>>>>>> /usr/share/mythweb/mythweb.pl
>>>>>>>>>>>
>>>>>>>>>>> Should I need to define the following?
>>>>>>>>>>>
>>>>>>>>>>> require { type httpd_sys_script_t; class process
>>>>>>>>>>> setpgid; }
>>>>>>>>>>>
>>>>>>>>>>> #============= httpd_sys_script_t ============== allow
>>>>>>>>>>> httpd_sys_script_t self:process setpgid; -- selinux
>>>>>>>>>>> mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>>>>>
>>>>>>>
>>>>>>>>>>>
Yes, although I guess the question is whether we should allow this
>>>>>>> by default. What risk do we have from allowing cgi script the
>>>>>>> ability to call setpgid.
>>>>>>>>>
>>>>>>>>> The only information I could find were previous
>>>>>>>>> bugzilla.redhat.com reports which seemed to recommend
>>>>>>>>> local policy and a 2003 SANS Institute report titled,
>>>>>>>>> Global Information Assurance Certification Paper which
>>>>>>>>> seemed to indicate allowing it. Oh, and I did ask one of
>>>>>>>>> our information assurance people who did not know if there
>>>>>>>>> were any issues.
>>>>>>>>>
>>>>>>>
>>>>>>>> we do not have to run mythweb.pl in httpd_sys_script_t
>>>>>>>> domain:
>>>>>>>
>>>>>>>> echo "policy_module(mymythweb, 1.0.0)
>>>>>>>> apache_content_template(mymythweb) allow
>>>>>>>> httpd_mymythweb_script_t self:process setpgid;" >
>>>>>>>> mymythweb.te
>>>>>>>
>>>>>>>> echo "/usr/share/mythweb/mythweb\.pl --
>>>>>>>> gen_context(system_u:object_r:httpd_mymythweb_script_exec_t,s0)"
>>>>>>>> > mymythweb.fc
>>>>>>>
>>>>>>>> make -f /usr/share/selinux/devel/Makefile mymythweb.pp sudo
>>>>>>>> semodule mymythweb.pp sudo restorecon -v
>>>>>>>> /usr/share/mythweb/mythweb.pl
>>>>>>>
>>>>>>>
>>>>>>>>>
>>>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>>>>
>>>>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>
>>>>
>>>> Seems like an idea, not sure what mythweb does? Where is its
>>>> content stored?
>>>>
>>>>> It is the web interface to mythtv which I believe there is all
>>>>> ready previous selinux policy for. The scripts are located in
>>>>> /usr/share/mythweb. Should I open a bug report? Which approach
>>>>> should I recommend in the report?
>>>>
>>>>
>>>>>
>>>> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>
>
> Yes a bug report would be good with a description of what files need to
> be written by the cgi scripts.
>
> Basically I would like to write a policy type httpd_mythtv_script_t and
> then add appropriate rules and types for files this type might need to
> write to.
>
> /var/log? /var/lib? /run? /var? ...
>
>> Fixed places it can write are: /var/log/mythtv - log files
>> /var/lib/mythtv - home directory which appears not to be used /etc/mythtv
>> - configuration files it reads
>
>> Recording location is user configurable so it can be anywhere including
>> remote NFS storage and can be divided into separate areas for different
>> types of multimedia. Since one of the many ways to access this area is
>> the web interface we have done the following: semanage fcontext -a -t
>> httpd_sys_content_t /export/recordings
>
>> Types of files written for video recordings are: .mpg - mpeg video file
>> .mpg.png - image clip file
>
>> Then depending on need recordings can be post processed and transcoded
>> into many other formats like .mp4, H 264 format, AVI, and the list could
>> be quite long. We create a subdirectory in the recording area and store
>> the mysql database backups there which have an extension of .sql.gz. But
>> the backups could be configured to be stored anywhere.
>
>> Mythtv also uses mysql so we set the following sebools on: setsebool -P
>> nfs_export_all_rw on setsebool -P httpd_builtin_scripting on setsebool -P
>> httpd_can_network_connect on setsebool -P httpd_can_network_connect_db
>> on setsebool -P httpd_use_nfs on
>
>> My old notes indicate that we needed to do the following, but I'm not
>> sure it is still needed. chcon -v -t httpd_sys_rw_content_t
>> /usr/share/mythweb/data
>
>> This is a large application and we do not use all of it so there maybe
>> other places it can write. We do see NFS automount requests for places
>> that do not exist in our system. You might want to talk with Jarod Wilson
>> who works I think in your area for Red Hat. He has been a long time user
>> of Mythtv and may have done some development on the application.
>
>> I will move this information to a bug report if I have all the
>> information you need.
>
>
>>
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
Here is my first pass at policy.
Problem is it will not be allowed to install,because of conflicts in apache
module, Which I have checked into Rawhide.
If you want to test. Extract the tgz file and install the updated apache file
along with the mythtv files.
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mythtv.pp apache.pp
# restorecon -R -v /var/log /var/lib /usr/share
Then try it out. Please send me any AVC messages you get.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlD1i9oACgkQrlYvE4MpobNwCwCdEDjHh/nxQCq/4lxdSClVB6rw
rzAAoLDoGq0i26wzmgKipEKfyrdQaxSu
=37bp
-----END PGP SIGNATURE-----
Attachment:
mythtv.tgz
Description: GNU Zip compressed data
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
