On Tue, 2009-03-31 at 15:16 +1000, Scott Radvan wrote:
I am going to use this thread to just share any thoughts i have with regards to this
>
> o allow_httpd_anon_write
> This Boolean is off by default, allowing httpd only read access to
> files labeled with the public_content_rw_t type. Enabling this Boolean
> will allow httpd to write to files labeled with the public_content_rw_t
> type, such as a public directory containing files for a public file
> transfer service.
> o allow_httpd_mod_auth_ntlm_winbind
> This Boolean is off by default. Enabling it will allow access to NTLM
> and Winbind authentication mechanisms via the mod_auth_ntlm_winbind
> module in httpd.
>
> o allow_httpd_mod_auth_pam
> This Boolean is off by default. Enabling it will allow access to PAM
> authentication mechanisms via the mod_auth_pam module in httpd.
>
> o allow_httpd_sys_script_anon_write
> This Boolean is off by default. It defines whether or not HTTP scripts
> are allowed write access to files labeled with the public_content_rw_t
> type, as used in a public file transfer service.
>
> o httpd_builtin_scripting
> This Boolean is on by default, allowing httpd scripting. Having this
> Boolean enabled is often required for PHP content.
It allows:
1. httpd_t to manage templated httpd rw content,
2. httpd_t to read templated httpd ra content,
3. httpd_t to read templated httpd content,
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
manage_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
manage_lnk_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
rw_sock_files_pattern(httpd_t, httpd_$1_content_rw_t, httpd_
$1_content_rw_t)
allow httpd_t httpd_$1_content_ra_t:dir { list_dir_perms
add_entry_dir_perms };
read_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
append_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_ra_t, httpd_
$1_content_ra_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
allow httpd_t httpd_$1_content_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
read_lnk_files_pattern(httpd_t, httpd_$1_content_t, httpd_$1_content_t)
')
I think this is a bug in policy or atleast that this boolean is too
coarse
with this boolean set to false: httpd_t cannot read
httpd_user_content_t. Basically what it means is that you cannot use
httpd userdirs (httpd_enable_userdirs) without scripting enabled.
> o httpd_can_network_connect
> This Boolean is off by default, preventing HTTP scripts and modules
> from initiating a connection to a network or remote port. Turn this
> Boolean on to allow this access.
>
> o httpd_can_network_connect_db
> This Boolean is off by default, preventing HTTP scripts and modules
> from initiating a connection to database servers. Turn this Boolean on
> to allow this access.
>
> o httpd_can_network_relay
> Turn this Boolean on when httpd is being used as a forward or
> reverse proxy.
>
> o httpd_can_sendmail
> This Boolean is off by default, preventing HTTP modules from sending
> mail. This can prevent spam attacks should a vulnerability be found in
> httpd. Turn this Boolean on to allow HTTP modules to send mail.
>
> o httpd_dbus_avahi
> This Boolean is off by default, denying httpd access to the avahi
> service via dbus. Turn this Boolean on to allow this access.
>
> o httpd_enable_cgi
> By default, SELinux prevents httpd from executing CGI scripts. Turn
> this Boolean on to allow httpd to execute CGI scripts (CGI scripts must
> be labeled with the httpd_sys_script_exec_t type).
1. It creates an entrypoint for templated httpd domains and their
executable files
2. It allow httpd_t to domain transition to templated httpd domains
3. it allows templated httpd domains basic permissions to run.
tunable_policy(`httpd_enable_cgi',`
allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
# privileged users run the script:
domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_
$1_script_t)
allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
# apache runs the script:
domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
allow httpd_$1_script_t self:process { setsched signal_perms };
allow httpd_$1_script_t self:unix_stream_socket
create_stream_socket_perms;
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
kernel_read_system_state(httpd_$1_script_t)
dev_read_urand(httpd_$1_script_t)
fs_getattr_xattr_fs(httpd_$1_script_t)
files_read_etc_runtime_files(httpd_$1_script_t)
files_read_usr_files(httpd_$1_script_t)
libs_read_lib_files(httpd_$1_script_t)
miscfiles_read_localization(httpd_$1_script_t)
')
So it is not only for httpd_sys_script_exec_t but for example also
httpd_user_script_exec_t or any other httpd domain create with
apache_content_template or declared as apache_domain()
Also it is specifically responsible for domain transitions.
> o httpd_enable_ftp_server
> Turning this Boolean on will allow httpd to listen on the FTP port and
> act as an FTP server.
>
> o httpd_enable_homedirs
> By default, SELinux prevents httpd from accessing user home
> directories. Turn this Boolean on to allow httpd access to user home
> directories, for example, /home/*/public_html/.
All it does is allow httpd_t to search /home/*/ for httpd content
tunable_policy(`httpd_enable_homedirs',`
userdom_search_user_home_dirs(httpd_t)
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
This does not actually allow httpd_t to read httpd_user_content_t
( requires the httpd_builtin_scripting boolean to be set )
> o httpd_execmem
tunable_policy(`httpd_execmem',`
allow httpd_t self:process { execmem execstack };
allow httpd_sys_script_t self:process { execmem execstack };
allow httpd_suexec_t self:process { execmem execstack };
')
Note that is also allows execstack.
Note that it allows it also for httpd_sys_script_t
Note that it *does not* allow it for httpd_user_script_t ( or any other
templated httpd script)
>
> o httpd_ssi_exec
> Off by default, this Boolean makes sure that httpd can only execute
> shell scripts that have the shell_exec_t type assigned to them.
> Enabling this Boolean will allow httpd to execute any script.
>
> o httpd_tty_comm
> This Boolean defines whether or not httpd is allowed access to the
> controlling terminal. Usually this access is not required; however in
> cases such as configuring an SSL certificate file, terminal access is
> required to display and process a password prompt.
>
> o httpd_unified
> This Boolean is off by default, turning it on will allow all httpd
> executables to have full access to all content labeled with http file
> context. Leaving it off ensures that one httpd service can not
> interfere with another, limiting the opportunity for privilege
> escalation vulnerability.
I think this boolean needs a good thorough review.
I do not think it works properly but i might be wrong
> o httpd_use_cifs
> Turn this Boolean on to allow httpd access to files on CIFS file
> systems that are labeled with the cifs_t type, such as file systems
> mounted via Samba.
>
> o httpd_use_nfs
> Turn this Boolean on to allow httpd access to files on NFS file systems
> that are labeled with the nfs_t type, such as file systems mounted via
> NFS.
>
>
> All comments are more than welcome! Again, thank you.
>
>
>
> [1] - https://fedorahosted.org/managing-confined-services/
> [2] - http://people.redhat.com/drepper/selinux-mem.html
>
>
> Cheers,
>
>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
