AVC question

Daniel J Walsh dwalsh at redhat.com
Mon Jan 14 17:04:45 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/11/2013 11:34 AM, David Highley wrote:
> "Daniel J Walsh wrote:"
>> 
> On 01/09/2013 05:22 PM, Dominick Grift wrote:
>>>> On Wed, 2013-01-09 at 13:35 -0800, David Highley wrote:
>>>>> "Daniel J Walsh wrote:"
>>>>>> 
>>>> On 01/08/2013 11:28 PM, David Highley wrote:
>>>>>>>> I get the following avc from using mythtv's web interface.
>>>>>>>> 
>>>>>>>> ---- time->Tue Jan  8 19:14:57 2013 type=SYSCALL 
>>>>>>>> msg=audit(1357701297.336:4077): arch=c000003e syscall=109 
>>>>>>>> success=no exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0
>>>>>>>> ppid=5777 pid=8018 auid=4294967295 uid=48 gid=48 euid=48
>>>>>>>> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>> ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" 
>>>>>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>>>>>>>> type=AVC msg=audit(1357701297.336:4077): avc:  denied  {
>>>>>>>> setpgid } for pid=8018 comm="mythweb.pl" 
>>>>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0 
>>>>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>> tclass=process ---- time->Tue Jan  8 19:17:56 2013
>>>>>>>> type=SYSCALL msg=audit(1357701476.763:4085): arch=c000003e
>>>>>>>> syscall=109 success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0
>>>>>>>> items=0 ppid=5774 pid=8113 auid=4294967295 uid=48 gid=48
>>>>>>>> euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
>>>>>>>> ses=4294967295 comm="mythweb.pl" exe="/usr/bin/perl" 
>>>>>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>>>>>>>> type=AVC msg=audit(1357701476.763:4085): avc:  denied  {
>>>>>>>> setpgid } for pid=8113 comm="mythweb.pl" 
>>>>>>>> scontext=system_u:system_r:httpd_sys_script_t:s0 
>>>>>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0
>>>>>>>> tclass=process
>>>>>>>> 
>>>>>>>> I checked the script, ls -Z /usr/share/mythweb/mythweb.pl 
>>>>>>>> -rwxr-xr-x. apache apache 
>>>>>>>> system_u:object_r:httpd_sys_script_exec_t:s0 
>>>>>>>> /usr/share/mythweb/mythweb.pl
>>>>>>>> 
>>>>>>>> Should I need to define the following?
>>>>>>>> 
>>>>>>>> require { type httpd_sys_script_t; class process setpgid; }
>>>>>>>> 
>>>>>>>> #============= httpd_sys_script_t ============== allow 
>>>>>>>> httpd_sys_script_t self:process setpgid; -- selinux mailing
>>>>>>>> list selinux at lists.fedoraproject.org 
>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>>>>>> 
>>>> Yes, although I guess the question is whether we should allow this
>>>> by default. What risk do we have from allowing cgi script the ability
>>>> to call setpgid.
>>>>>> 
>>>>>> The only information I could find were previous
>>>>>> bugzilla.redhat.com reports which seemed to recommend local
>>>>>> policy and a 2003 SANS Institute report titled, Global
>>>>>> Information Assurance Certification Paper which seemed to
>>>>>> indicate allowing it. Oh, and I did ask one of our information
>>>>>> assurance people who did not know if there were any issues.
>>>>>> 
>>>> 
>>>>> we do not have to run mythweb.pl in httpd_sys_script_t domain:
>>>> 
>>>>> echo "policy_module(mymythweb, 1.0.0)
>>>>> apache_content_template(mymythweb) allow httpd_mymythweb_script_t
>>>>> self:process setpgid;" > mymythweb.te
>>>> 
>>>>> echo "/usr/share/mythweb/mythweb\.pl -- 
>>>>> gen_context(system_u:object_r:httpd_mymythweb_script_exec_t,s0)" >
>>>>>  mymythweb.fc
>>>> 
>>>>> make -f /usr/share/selinux/devel/Makefile mymythweb.pp sudo
>>>>> semodule mymythweb.pp sudo restorecon -v
>>>>> /usr/share/mythweb/mythweb.pl
>>>> 
>>>> 
>>>>>> 
>>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
>>>> 
>>>> -- selinux mailing list selinux at lists.fedoraproject.org 
>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>> 
> 
> Seems like an idea, not sure what mythweb does?  Where is its content
> stored?
> 
>> It is the web interface to mythtv which I believe there is all ready 
>> previous selinux policy for. The scripts are located in 
>> /usr/share/mythweb. Should I open a bug report? Which approach should I 
>> recommend in the report?
> 
> 
>> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 

Yes a bug report would be good  with a description of what files need to be
written by the cgi scripts.

Basically I would like to write a policy type httpd_mythtv_script_t and then
add appropriate rules and types for files this type might need to write to.

/var/log?  /var/lib? /run? /var?  ...

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlD0Oq0ACgkQrlYvE4MpobMhLwCeO06Rkih99pcwtjqT/ZBw7yPW
0JQAmwWy9sqRSQkX71TTp83uIeQEB2dk
=BSxZ
-----END PGP SIGNATURE-----

More information about the selinux mailing list