On Wed, 2008-02-27 at 14:31 -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Stefan Schulze Frielinghaus wrote:
> > On Wed, 2008-02-27 at 13:07 -0500, Daniel J Walsh wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Stefan Schulze Frielinghaus wrote:
> >>> On Wed, 2008-02-27 at 10:49 -0500, Daniel J Walsh wrote:
> >>>> Stefan Schulze Frielinghaus wrote:
> >>>>> I wanted to fix a problem with awstats and httpd_t but I ran into a
> >>>>> problem and just wanted to hear some other ideas.
> >>>>>
> >>>>> Awstats uses the apache content template:
> >>>>> apache_content_template(awstats)
> >>>>>
> >>>>> And a few awstats icons are labeled as httpd_awstats_content_t. When the
> >>>>> awstats CGI script is executed it generates a HTML file which includes
> >>>>> links to these icons. As soon as the httpd receives a query from the
> >>>>> client to download these icons an AVC is generated and the request is
> >>>>> denied. To allow this I would have to include a rule like:
> >>>>>
> >>>>> allow httpd_t httpd_awstats_content_t:dir getattr;
> >>>>> allow httpd_t httpd_awstats_content_t:file { getattr read };
> >>>>>
> >>>>> But then I would have to write a require statement for my awstats module
> >>>>> to include the type httpd_t as a dependency. While reading the apache.te
> >>>>> file I recognized three lines:
> >>>>>
> >>>>> allow httpd_t httpd_sys_content_t:dir list_dir_perms;
> >>>>> read_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >>>>> read_lnk_files_pattern(httpd_t,httpd_sys_content_t,httpd_sys_content_t)
> >>>>>
> >>>>> Why aren't these ones included in the apache_content_template like these
> >>>>> ones:
> >>>>>
> >>>>> allow httpd_t httpd_$1_content_t:dir list_dir_perms;
> >>>>> read_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >>>>> read_lnk_files_pattern(httpd_t,httpd_$1_content_t,httpd_$1_content_t)
> >>>>>
> >>>>> This would solve my problem with awstats and what my interpretation of
> >>>>> the httpd_$1_content_t type is that only these files should be red by
> >>>>> the httpd_t directly. I think other ones will run into the same problem
> >>>>> too.
> >>>>>
> >>>>> Any thoughts?
> >>>>>
> >>>>>
> >>>>> --
> >>>>> This message was distributed to subscribers of the selinux mailing list.
> >>>>> If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
> >>>>> the words "unsubscribe selinux" without quotes as the message.
> >>>>>
> >>>> Making that change would eliminate any possibility of separation of cgi
> >>>> data from php data. IE If I only want my cgi scrips/processes to be
> >>>> able to read my data, it ie easy to do now. But with your change, any
> >>>> script that does not cause a transition can now access my data.
> >>>>
> >>>> I would prefer an
> >>>>
> >>>> apache_can_read(httpd_awstats_content_t)
> >>> But if you want to hide data from other scripts you normally use
> >>> httpd_$1_script_ro_t or httpd_$1_script_rw_t. The policy of the template
> >>> does not have any allow rules to read httpd_$1_content_t (except two
> >>> search_dir_perms which does not count). This means that even
> >>> httpd_$1_script_t can't read httpd_$1_content_t. So whats the purpose of
> >>> httpd_$1_content_t really? I can't see it.
> >>>
> >> You are right. Those rules are missing and should be added.
> >>
> >> read_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
> >> read_lnk_files_pattern(httpd_$1_script_t, httpdcontent, httpd_$1_content_t)
> >
> > I'm sorry but I'm still not convinced.
> >
> > This would mean we have two types:
> > - httpd_$1_content_t
> > - httpd_$1_script_ro_t
> > which have the same allow rules and the same meaning. No real difference
> > (after adding your allow rules).
> >
> > And a comment from the apache_content_template indicates that there is
> > something wrong with your definition:
> >
> > # The following three are the only areas that
> > # scripts can read, read/write, or append to
> >
> > After this comment allow rules follow for ro/rw and append types.
> >
> > I still believe that the initial purpose of httpd_$1_content_t was to
> > allow httpd_t to read files/dirs. Otherwise httpd_$1_script_ro_t could
> > be used. Or even httpd_$1_content_t is a duplicate and could be removed.
> >
> Yes you might be right.
> I would say httpd_$1_script_ro_t should go away and be an alias of
> httpd_$1_content_t. Then allow httpd_$1_script_t read on all
> files/directories/lnk_files. Labeling a directory httpd_$1_script_ro_t
> and putting rw_t content in is seems strange.
>
> But there is a boolean to allow httpd to read script specific content.
>
> httpd_builtin_scripting
>
> Which if we changed the httpd_$1_script_ro_t would fix the problem.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkfFuqQACgkQrlYvE4MpobMBYQCgtO3951Eg0gyq84wlE+H8FKTu
> Xf8AoKLJeYBhJ96mcwyMBYI9aoLK0NE+
> =vU6O
> -----END PGP SIGNATURE-----
Another problem raised up. httpd_t should have at least search
permissions for httpd_$1_content_t because otherwise httpd_t could not
read httpd_$1_htaccess_t files. The following rules exists:
allow httpd_t httpd_$1_htaccess_t:file read_file_perms;
I would suggest to change this allow rule to read_files_pattern()
A small example should summaries the problem:
/var/www.myWiki <- is labeled as httpd_myWiki_content_t
/var/www.myWiki/config/.htaccess <- is labeled as
httpd_myWiki_htaccess_t
httpd_t could not read the htaccess file because it does not have search
permissions for /var/www.myWiki.
Another example would be:
/usr/share/awstats/wwwroot <- labeled as httpd_awstats_content_t
/usr/share/awstats/wwwroot/cgi-bin <- labeled as
httpd_awstats_script_exec_t
/usr/share/awstats/wwwroot/icon <- labeled as httpd_sys_content_t
This would work if httpd_t has search permissions because httpd_t can
scroll through /usr/share/awstats/wwwroot and then into icon.
The search permissions and the correct labeling of
e.g. /usr/share/awstats/wwwroot/icon as httpd_sys_content_t would also
eliminate the need of apache_can_read()
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
