On Wed, 2013-04-17 at 11:29 +0530, Rejy M Cyriac wrote:
> On 04/17/2013 03:53 AM, Richard Greenwood wrote:
> > I have a CGI application named "mapserv" that needs to write to a
> > specific location: "/rwg/mapserver/tmp". I ran audit2allow which
> > produced the test.te file file below. I ran "semodule -i test.pp" and my
> > CGI application is now happy, and so you would think that I should be
> > happy also. But I am confused/concerned because I do not see "mapserv"
> > nor do I see "/rwg/mapserver/tmp" in the te file. So my uninformed
> > interpretation of the te file below is that I have just granted all
> > httpd scripts permission to write to any directory. I did a quick test
> > and this is thankfully /NOT/ the case, but how does selinx know that I
> > am granting only the "mapserv" application write permissions to only the
> > "/rwg/mapserver/tmp" directory? I feel like there is a big piece that I
> > am completely missing.
> >
> > Thanks for your patience with a newbie.
> > Rich
> >
> >
> > module test 1.0;
> >
> > require {
> > type httpd_sys_content_t;
> > type httpd_sys_script_t;
> > class dir add_name;
> > class file { write create };
> > }
> >
> > #============= httpd_sys_script_t ==============
> > allow httpd_sys_script_t httpd_sys_content_t:dir add_name;
> > allow httpd_sys_script_t httpd_sys_content_t:file { write create };
> >
> >
> > --
> > Richard Greenwood
> > richard.greenwood@xxxxxxxxx <mailto:richard.greenwood@xxxxxxxxx>
> > www.greenwoodmap.com <http://www.greenwoodmap.com>
> >
> >
> > --
> > selinux mailing list
> > selinux@xxxxxxxxxxxxxxxxxxxxxxx
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> Hello Richard,
>
> The new rules that you have put in, gives access rights to processes
> having the 'httpd_sys_script_t' SELinux type (domain) on directories and
> files having the 'httpd_sys_content_t' SELinux type. So strictly
> speaking, this is not just for the "mapserv" application that you have,
> but for all httpd CGI scripts in general, on all 'web-content'
> directories. However, this is fine, and is the usual way that SELinux is
> used, as long as you have control over what CGI scripts are deployed on
> the system, and that only specific directories have the 'web-content'
> SELinux type.
>
> If you desire to have the rules allowed only for a specific process on
> specific directories and files, you have to define special SELinux types
> for the CGI scripts, process, directories and files, rules for the
> process to transition to the expected type (domain), and rules for the
> types to be persistent on the directories and files, and finally access
> rules using those special SELinux types.
>
There is a API available that makes it pretty easy to create a new set
of types for a cgi webapp.
example:
cat > mywebapp.te << EOF
policy_module(mywebappp, 1.0.0)
apache_content_template(mywebapp)
EOF
make -f /usr/share/selinux/devel/Makefile mywebapp.pp
sudo semodule -i mywebapp
Now you can use the following new types:
httpd_mywebapp_script_t (mywebapp process type)
httpd_mywebapp_script_exec_t (mywebapp cgi executable file type)
httpd_mywebapp_content_t (mywebapp readonly file type)
httpd_mywebapp_content_rw_t (mywebapp read/write file type)
httpd_mywebapp_content_ra_t (mywebapp read/append file type)
httpd_mywebapp_htaccess_t (mywebapp htaccess file types)
Baiscally you can just label the cgi script with the mywebapp script
executable file type and then the mywebapp process will run with the
mywebapp process type creating files with the mywebapp content file
types.
Example:
semanage fcontext -a -t
httpd_mywebapp_script_exec_t /var/www/cgi-bin/mywebapp.pl
restorecon -R -v -F /var/www/cgi-bin/mywebapp.pl
That is, of course if you label /rwg/mapserver/tmp appropriately (it
should probably be tmp_t)
There is a command that allows one to make locations eqivalent to other
locations in terms of selinux file contexts.
So to make /rwg/mapserver/tmp equivalent to /tmp:
semanage fcontext -a -e /tmp /rwg/mapserver/tmp
restorecon -R -v -F /rwg/mapserver/tmp
(or atleast something along those lines)
Then all should be set and then your webapp and its assets will be
isolated/protected from other confined webapps. (at least to some higher
degree)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
