On Tue, 2011-07-12 at 17:03 +0200, Paul Menzel wrote:
> […]
>
> $ sudo cat /var/log/audit/audit.log | audit2allow -l -m local
>
> #============= httpd_sys_script_t ==============
> allow httpd_sys_script_t devlog_t:sock_file getattr;
> allow httpd_sys_script_t net_conf_t:file getattr;
> allow httpd_sys_script_t user_home_dir_t:dir search;
>
> #============= httpd_t ==============
> allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };
>
> But I want to make sure first, what the recommended way is.
> 1. Am I right, that the default behavior is very strict and that
> allowing exceptions for certain programs is needed?
The system script domain has only limited access yes. I would probably
not modify the system script domain but instead create a new script
domain tailored to your scripts requirements using the
apache_content_template() and then extend that your your scripts
requirements.
> 2. What is the reason that `getattr` is not by default allowed for
> scripts having the `httpd_sys_script_t` attribute(?)?
Basically "least privilege" i guess. If the system script isnt not
supposed to be able to "sysnet read config" then there is no need to
allow it to get attributes of files with type netconf_t. Same for
"logging_send_syslog_msg", if the script is not supposed to be able to
send syslog msgs then no need to allow it to get attributes of the
devlog_t sock file.
> 3. If you have time, do you think the above exceptions sound
> sane/secure?
I guess your we webapp may at some point want to connect to the network.
(because its trying to read resolv.conf (probably?)
Besides that it seems your webapp wants to send messages to syslog.
It also seems to want to search user home directories (why? what
business does it have there?)
The following does not have to be allowed:
allow httpd_t httpd_sys_script_t:process { siginh rlimitinh
noatsecure };
> 4. Is there a write up how to configure SELinux on Web servers?
>
Google for "Fedora managing confined services"
>
> Thanks,
Here is what a module would look like:
mkdir ~/myapp; cd ~/myapp
echo "policy_module(myapp, 1.0.0)" apache_content_template(myapp)
sysnet_read_config(httpd_myapp_script_t)
logging_send_syslog_msg(httpd_myapp_script_t)" > myapp.te
make -f /usr/share/selinux/devel/Makefile myapp.pp
sudo semodule -i myapp.pp
chcon -t httpd_myapp_script_exec_t /path/to/myapp.cgi
if your app is supposed to be able to search user home dirs then you can
try:
setsebool -P httpd_enable_homedirs on
> Paul
>
>
> [1] https://secure.wikimedia.org/wikipedia/en/wiki/Common_Gateway_Interface
> [2] http://ikiwiki.info/
Attachment:
signature.asc
Description: This is a digitally signed message part
