SELinux and CGI scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear SELinux folks,


the default policy of a Debian Squeeze system seems to prevent the CGI
script [1] of ikiwiki [2] from working properly.

        type=AVC msg=audit(1310482485.480:79759): avc:  denied  { rlimitinh } for  pid=13522 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        type=AVC msg=audit(1310482485.480:79759): avc:  denied  { siginh } for  pid=13522 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        type=AVC msg=audit(1310482485.480:79759): avc:  denied  { noatsecure } for  pid=13522 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        type=SYSCALL msg=audit(1310482485.480:79759): arch=c000003e syscall=59 success=yes exit=0 a0=7f20c1b809d8 a1=7f20c1b7d648 a2=7f20c1b7d660 a3=0 items=0 ppid=13518 pid=13522 auid=4294967295 uid=33 gid=33 euid=105 suid=105 fsuid=105 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="ikiwiki.cgi" exe="/www/cgi-bin/ikiwiki.cgi" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
        type=AVC msg=audit(1310482491.360:79760): avc:  denied  { rlimitinh } for  pid=13534 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        type=AVC msg=audit(1310482491.360:79760): avc:  denied  { siginh } for  pid=13534 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        type=AVC msg=audit(1310482491.360:79760): avc:  denied  { noatsecure } for  pid=13534 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        type=SYSCALL msg=audit(1310482491.360:79760): arch=c000003e syscall=59 success=yes exit=0 a0=7f20c1b80b10 a1=7f20c1b877f0 a2=7f20c1b87808 a3=0 items=0 ppid=13518 pid=13534 auid=4294967295 uid=33 gid=33 euid=105 suid=105 fsuid=105 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="ikiwiki.cgi" exe="/www/cgi-bin/ikiwiki.cgi" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
        type=AVC msg=audit(1310482491.810:79761): avc:  denied  { getattr } for  pid=13534 comm="ikiwiki" path="/etc/resolv.conf" dev=xvda ino=496312 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file
        type=SYSCALL msg=audit(1310482491.810:79761): arch=c000003e syscall=4 success=no exit=-131939282133032 a0=3a2eb00 a1=21de130 a2=21de130 a3=2839b70 items=0 ppid=13518 pid=13534 auid=4294967295 uid=105 gid=105 euid=105 suid=105 fsuid=105 egid=105 sgid=105 fsgid=105 tty=(none) ses=4294967295 comm="ikiwiki" exe="/usr/bin/perl" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

I could use the provided tools to allow those accesses.

        $ sudo cat /var/log/audit/audit.log | audit2why
        
        […]
        
        type=AVC msg=audit(1310343668.084:76067): avc:  denied  { rlimitinh } for  pid=28841 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        
                Was caused by:
                        Missing type enforcement (TE) allow rule.
        
                        You can use audit2allow to generate a loadable module to allow this access.
        
        type=AVC msg=audit(1310343668.084:76067): avc:  denied  { siginh } for  pid=28841 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        
                Was caused by:
                        Missing type enforcement (TE) allow rule.
        
                        You can use audit2allow to generate a loadable module to allow this access.
        
        type=AVC msg=audit(1310343668.084:76067): avc:  denied  { noatsecure } for  pid=28841 comm="ikiwiki.cgi" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
        
                Was caused by:
                        Missing type enforcement (TE) allow rule.
        
                        You can use audit2allow to generate a loadable module to allow this access.
        
        […]

        $ sudo cat /var/log/audit/audit.log | audit2allow -l -m local
        
        #============= httpd_sys_script_t ==============
        allow httpd_sys_script_t devlog_t:sock_file getattr;
        allow httpd_sys_script_t net_conf_t:file getattr;
        allow httpd_sys_script_t user_home_dir_t:dir search;
        
        #============= httpd_t ==============
        allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };

But I want to make sure first, what the recommended way is.

1. Am I right, that the default behavior is very strict and that
allowing exceptions for certain programs is needed?
2. What is the reason that `getattr` is not by default allowed for
scripts having the `httpd_sys_script_t` attribute(?)?
3. If you have time, do you think the above exceptions sound
sane/secure?
4. Is there a write up how to configure SELinux on Web servers?


Thanks,

Paul


[1] https://secure.wikimedia.org/wikipedia/en/wiki/Common_Gateway_Interface
[2] http://ikiwiki.info/

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux